[Bro] SQL usage in Bro

Jim Mellander jmellander at lbl.gov
Thu Feb 11 14:04:13 PST 2010 

Seth Hall wrote:
> 
> On Feb 11, 2010, at 3:36 PM, Jim Mellander wrote:
> 
>> However, I've thought about databasizing this, either via a broccoli
>> enabled
>> 'oracle' program, fed URLs and returning bro events signifying actions
>> to take,
>> or using the database extensions Seth has added to the bro code to
>> access a
>> persistent database instead.
> 
> Heh.  I *wish* the database extension was finished. :)  It's close, but
> it doesn't quite work yet.
> 
>> Does anyone have any information on performance metrics of the postgresql
>> bindings for bro, both with the sql server on localhost, and being on
>> a remote
>> box (might be accessed by multiple bros)?
> 
> The way I've been implementing it is that performance of the database
> wouldn't have much of an impact on anything.  It's currently implemented
> to behave asynchronously where a query is executed and as the data
> becomes available it is inserted into a hidden internal copy of the
> variable.  Once the query is done returning data, the hidden variable is
> assigned overtop of the original variable with all of the potentially
> new data.  The timers then continue on and do any other database backed
> variables that may need to be updated with the same process.
> 
> It seems that you may be confused about how it works though.  What I'm
> implementing is just for pulling data into variables on a interval. 
> Here's an example.....
> 
> global bad_urls: set[string] &query="SELECT url FROM bad_urls"
> &query_interval=1hour;
> 
> That will place the elements from the single field returned from the
> query into the string set every hour (replacing the previous data). 
> It's not the end-all solution that people are looking for I think, but
> it's part of it for sure.
> 
>  .Seth
> 

Well, thats cool in a different way than I envisioned - I assumed you could
issue a query and an event would be raised when the results were available.
This is closer the the idea of databased-backed persistent variables, although
on a timed basis.  Is there some way that an immediate refresh can be requested
by bro, e.g. when the backing database changes, sending an event to bro which
can then trigger a refresh on the dataset?

I'm thinking the paradigm you are using may work for my application, with a few
tweaks....

Thanks in advance.


-- 
Jim Mellander
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 486-7204

The reason you are having computer problems is:

The Internet is being scanned for viruses.

More information about the Bro mailing list