[Bro] SQL usage in Bro
Seth Hall
hall.692 at osu.edu
Fri Feb 12 04:01:29 PST 2010
I love that this stuff is finally being discussed. :)
On Feb 11, 2010, at 5:04 PM, Jim Mellander wrote:
> Is there some way that an immediate refresh can be requested
> by bro, e.g. when the backing database changes, sending an event to
> bro which
> can then trigger a refresh on the dataset?
I think this could be accommodated by calling a function which would
kick off the update immediately. You could wrap the function inside
an event handler and then you'd have something that broctl could call.
> I'm thinking the paradigm you are using may work for my application,
> with a few
> tweaks....
The only thing I don't really how to handle the opposite direction. I
can't come up with a clean syntax for pushing back into a database.
It would be great if you could do...
add bad_urls["http://www.microsoft.com/"];
... and the URL would get pushed into the database. You could use my
bro-dblogger project to do it, but you'd have to do the "add" like
above in addition to...
event db_log("bad_urls", [$url="http://www.microsoft.com/"];
It's kind of messy, but maybe it's not as bad as I'm thinking.
.Seth
---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721
More information about the Bro
mailing list