[Bro] Connection records in a database?

Seth Hall hall.692 at osu.edu
Mon Oct 6 08:04:55 PDT 2008 

On Oct 4, 2008, at 2:53 AM, mel wrote:
> I have something[1] similar written late last year, which parses Bro
> logs and inserts the data to PostgreSQL[2]. I also have an extremely
> alpha version of the web frontend, written in PHP with Symfony  
> framework.

Nice! I'd be interested to take a look at it.  I've been working on  
something similar recently.

I checked out your log importer too, but I noticed that you're doing  
individual inserts for each record.  In my testing, doing individual  
inserts doesn't scale for high data rates, the database can't insert  
data quickly enough.  I have been using the COPY [1] method for  
inserting data in batches and it turns out that even at high data  
rates the database can keep up just fine.

>> I'm going to get started on a C or C++ application soon that will use
>> Broccoli to listen to some event which would be intended for database
>> logging.  You would have to run a Bro script that would throw the
>> database logging event for each connection, but that should be fairly
>> easy to write.  We'll see how far I make it with that. :)
>
> Keep us updated!


On Friday, I got an initial version of my C++ database logger  
functioning. :)  Here's how it will work...

In your bro scripts, you'll call something like this (field names and  
values don't have to have the same name)...
   event db_log("http_logs", [$orig_h=orig_h, $resp_h=resp_h,  
$resp_p=resp_p, $method=method, $url=url]);

The database logger will listen for the db_log event and dynamically  
create the following SQL query...
   COPY http_logs (orig_h, resp_h, resp_p, method, url) FROM STDIN

Every time the db_log event is called for that table, it will send  
another row of data to the database.  Once a certain number of rows  
have been pushed to the database it will end the COPY query and all of  
the data you have already pushed to the database will be inserted.   
The COPY query will then be executed again and the cycle repeats.

For any data you want to insert to a database, all you have to do is  
make sure that your database has the necessary fields in it, then  
throw the proper db_log event.  I'll be releasing the code under the  
BSD license as soon as I get a few more features added to it.

   .Seth

[1] http://www.postgresql.org/docs/current/static/libpq-copy.html#LIBPQ-COPY-SEND

---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721

More information about the Bro mailing list