[Bro] SQL usage in Bro

Jim Mellander jmellander at lbl.gov
Fri Feb 12 11:33:56 PST 2010 

Thanks Seth:

Seth Hall wrote:
> I love that this stuff is finally being discussed. :)
> 
> On Feb 11, 2010, at 5:04 PM, Jim Mellander wrote:
>> Is there some way that an immediate refresh can be requested
>> by bro, e.g. when the backing database changes, sending an event to
>> bro which
>> can then trigger a refresh on the dataset?
> 
> I think this could be accommodated by calling a function which would
> kick off the update immediately.  You could wrap the function inside an
> event handler and then you'd have something that broctl could call.

The event handling part is a piece of cake, but I'm unclear on how to 'kick off
the update immediately', which I presume is part of your patch.  Do you have
further data on that piece of the puzzle?

> 
>> I'm thinking the paradigm you are using may work for my application,
>> with a few
>> tweaks....
> 
> 
> The only thing I don't really how to handle the opposite direction.  I
> can't come up with a clean syntax for pushing back into a database.  It
> would be great if you could do...
> add bad_urls["http://www.microsoft.com/"];
> ... and the URL would get pushed into the database.  You could use my
> bro-dblogger project to do it, but you'd have to do the "add" like above
> in addition to...
> event db_log("bad_urls", [$url="http://www.microsoft.com/"];
> 
> It's kind of messy, but maybe it's not as bad as I'm thinking.
> 
>   .Seth
> 

For my application, it isn't necessarily essential to write back to the
database, although it would be nice to have statistics columns that could be
updated as hits occur - could do that via a brocolli enabled external database
helper app.

Off the top of my head, tho', as far as pushing back to the database, why not
the same syntax as you are using, with an update sql command, and interval along
with an invisible 'modified' flag per row, so that only rows which were actually
modified were written back????  Still not a true database backed table, but
closer...  (now if bro supported OOP..., aw never mind.......)


-- 
Jim Mellander
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 486-7204

The reason you are having computer problems is:

We're on Token Ring, and it looks like the token got loose.

More information about the Bro mailing list