[Bro] SQL usage in Bro

Seth Hall hall.692 at osu.edu
Fri Feb 12 11:50:14 PST 2010 

On Feb 12, 2010, at 2:33 PM, Jim Mellander wrote:

> The event handling part is a piece of cake, but I'm unclear on how  
> to 'kick off
> the update immediately', which I presume is part of your patch.  Do  
> you have
> further data on that piece of the puzzle?

My thought would be that you could do something like...

 > broctl db_update bad_urls

That would throw an event named db_update to one or all of the hosts  
(still haven't decided on this yet) which would be handled like this  
(theoretically)...

event db_update(var)
	{
	force_db_update(var);
	}

The force_db_update function could be a built-in-function that would  
lookup the variable named by the value of the string "var" and force  
it do update from the database.

>  could do that via a brocolli enabled external database
> helper app.

Like bro_dblogger maybe?
   http://github.com/sethhall/bro-dblogger

The syntax I gave in my previous email works for the dblogger project.

> Off the top of my head, tho', as far as pushing back to the  
> database, why not
> the same syntax as you are using, with an update sql command, and  
> interval along
> with an invisible 'modified' flag per row, so that only rows which  
> were actually
> modified were written back????  Still not a true database backed  
> table, but
> closer...  (now if bro supported OOP..., aw never mind.......)


Maybe if there was an attribute to attach to tables and sets to  
indicate that you'd like to throw an event when an item is added?  Off  
the top of my head now...

function new_bad_url(val: string)
	{
	event db_log("bad_urls", [$url=val]);
	}
global bad_urls: set[string] &add_func=new_bad_url;

Alternatively, that could be written as:
global bad_urls: set[string] &add_func=function(val: string) { event  
db_log("bad_urls", [$url=val]); };

That should work and I don't *think* it would be very difficult to  
write the &add_func attribute.  And it fits right alongside the  
existing &expire_func attribute. :)

   .Seth

---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721

More information about the Bro mailing list