[Bro] SQL usage in Bro
Seth Hall
hall.692 at osu.edu
Thu Feb 11 13:41:03 PST 2010
On Feb 11, 2010, at 3:36 PM, Jim Mellander wrote:
> However, I've thought about databasizing this, either via a broccoli
> enabled
> 'oracle' program, fed URLs and returning bro events signifying
> actions to take,
> or using the database extensions Seth has added to the bro code to
> access a
> persistent database instead.
Heh. I *wish* the database extension was finished. :) It's close,
but it doesn't quite work yet.
> Does anyone have any information on performance metrics of the
> postgresql
> bindings for bro, both with the sql server on localhost, and being
> on a remote
> box (might be accessed by multiple bros)?
The way I've been implementing it is that performance of the database
wouldn't have much of an impact on anything. It's currently
implemented to behave asynchronously where a query is executed and as
the data becomes available it is inserted into a hidden internal copy
of the variable. Once the query is done returning data, the hidden
variable is assigned overtop of the original variable with all of the
potentially new data. The timers then continue on and do any other
database backed variables that may need to be updated with the same
process.
It seems that you may be confused about how it works though. What I'm
implementing is just for pulling data into variables on a interval.
Here's an example.....
global bad_urls: set[string] &query="SELECT url FROM bad_urls"
&query_interval=1hour;
That will place the elements from the single field returned from the
query into the string set every hour (replacing the previous data).
It's not the end-all solution that people are looking for I think, but
it's part of it for sure.
.Seth
---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721
More information about the Bro
mailing list