[Bro] Howto

[Martin Holste]

> @load protocols/ssl
> event SSL::log_ssl(rec: SSL::Info)
>        {
>        if ( rec$not_valid_before > network_time() - 60*60*24*30 )
>                {
>                print fmt("%s is using a certificate that was created %d days ago",
>                        rec$id$resp_h, (network_time()-rec$not_valid_before) / (60*60*24));
>                }
>        }
>

Awesome, this is good stuff!  Now I have a concrete goal.  If I can
get just this working, it will have been worth my time.

> @load protocols/ssl
> event x509_certificate(c: connection, cert: X509, is_server: bool, chain_idx: count, chain_len: count, der_cert: string)
>        {
>        # The entire certificate chain is presented to us here but we only want chain_idx==0 because that's the actual host certificate.
>        if ( chain_idx != 0 )
>                return;
>
>        if ( cert$not_valid_before > network_time() - 60*60*24*30 )
>                {
>                print fmt("%s is using a certificate that was created %d days ago",
>                        c$id$resp_h, (network_time()-cert$not_valid_before) / (60*60*24));
>                }
>        }
>

So when would one want to use this version?  If you need access to the
entire cert chain for your calculations?

> Please send along more concrete examples of tasks you'd like to complete.  Those are the kinds of questions I really like. :)

Ha, how much time do you have!

> We've begun defining a companion input framework to go along with the logging framework but it's still very early and we haven't begun writing any code for it yet (IOW, definitely not in the next release).

Please, please do it this way:
Create a generic external IO system that uses an HTTP protocol.  REST
is preferred, but the simpler the better.  That way you can get out of
the binary protocol business and get back to work on Bro's core
competencies, and anyone who wants to interact with Bro can just make
sure they have a sensible web API.