[Bro] help regarding sending scripts
Jayanth Kannan
kjk at eecs.berkeley.edu
Thu May 15 09:45:16 PDT 2008
Thanks so much for the long and detailed reply! I am not quite sure which of
the many options you suggested I would go for, but I will keep the list
posted on what I end up doing. I guess I will play with all your options a
little bit, and figure out what works for me.
Thanks,
Jayanth
On Wed, May 14, 2008 at 5:30 PM, Robin Sommer <robin at icir.org> wrote:
> (Late reply, sorry.)
>
> On Fri, May 02, 2008 at 09:30 -0700, you wrote:
>
> > I have a question about sending scripts from one Bro to a second one, and
> > having the second one install the script at run-time, and I was wondering
> > how it would be done. Any help appreciated! Details below.
>
> This requires a longer answer ...
>
> We don't have any prepackaged functionality at the moment to simply
> do a "send everything and install".
>
> What we have are two things:
>
> (a) a built-in function send_id() which will send a particular
> script-level ID to the remote end, which will install it. That
> includes variables but also event handlers, script functions,
> etc. By sending all global IDs successively, one will eventually
> have sent the whole configuration. (However, that would be best
> done in C++ code by writing a new built-in function).
>
> (b) If it doesn't need to be network communication, there's the
> command-line option "--dump-config" that puts the whole
> configuration into a binary file, which can then be picked up by
> another instance dynamically (by copying the file into the
> .state directory of the target Bro). Internally, dump-config
> essentially does just what I sketched above in (a): iterating
> through all IDs and serializing them.
>
> So much for the theory. Now the practical part: I think this whole
> set of functionality hasn't been used by anybody in a long time.
> Because of Bro's internal structure, replacing policy scripts at
> run-time is actually pretty tricky and I wouldn't want to bet much
> money that when you try --dump-config, it will "just work". It did
> seem to work well with tests done while implementing all this stuff,
> yet I think it has never been exercised very much and the problems
> are subtle here.
>
> So, depending on what exactly you need, I'd suggest something
> different, which is what the Bro cluster is doing:
>
> (1) many policy changes are limited to fine-tuning, e.g., changing
> the value of some configuration paramemter, like extending a
> regexp to match more activity, or changing some detection
> threshold. Sending just values of script variables works
> actually pretty well and the Bro cluster limits online updates
> to such cases: all variables which are declared as &redef can be
> updated dynamically from remote. This is implemented by the
> script aux/cluster/policy/send-config.bro in my branch.
>
> (2) another typical policy change is enabling/disabling a certain
> kind of analysis (such as now loading the HTTP analyzer, or
> disabling scan detection). My branch has some code to enable
> this from remote by grouping related events into "event groups"
> and then allowing to enable/disable event groups remotely. So
> this can also be done during run-time.
>
> (3) finally, for everyting else (like adding new script code, or
> changing an existing handler) Bro needs to be reinstarted. The
> impact of that is mitigated by using persistent state so
> that at least the most important state information is kept
> across restarts.
>
>
> Any questions? :-)
>
> Robin
>
>
> --
> Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080515/7c745c4d/attachment.html
More information about the Bro
mailing list