[Bro] SQL usage in Bro

Justin Azoff JAzoff at uamail.albany.edu
Thu Feb 11 14:02:38 PST 2010


On Thu, Feb 11, 2010 at 04:41:03PM -0500, Seth Hall wrote:
> global bad_urls: set[string] &query="SELECT url FROM bad_urls"  
> &query_interval=1hour;

Interesting.. I was thinking about doing something like this just using broccoli..

start with a plain..

    global bad_urls: set[string];

add new events similar to request_id...

    event set_add(tbl: string, key: string);
    event set_remove(tbl: string, key: string);

    event table_add(tbl: string, key: string, val: string);
    event table_remove(tbl: string, key: string);

then you would have code that uses broccoli that selects the rows from the DB and fires off events like

    set_add("bad_urls", "http://example.com/")

This way you could use any database, or even just a flatfile for storing bad
urls.. all the logic for getting the actual records would be implemented in
python(or C or Ruby...), the only changes to bro would be the new set and table
events.

-- 
-- Justin Azoff
-- Network Security & Performance Analyst
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20100211/2a38151c/attachment.bin 


More information about the Bro mailing list