[Bro] BRO and SQL

Seth Hall seth at icir.org
Thu Feb 2 05:44:11 PST 2012


On Feb 2, 2012, at 6:54 AM, Dave Angelo wrote:

> I am trying to add BRO the ability to ignore traffic from certain IP ranges dynamically.

We're hoping to do this more generally with the 2.1 release.  2.0 has an Intelligence (Intel) framework which is meant for being updated at runtime but we didn't get it's API in shape to really be used.  For 2.1 we're also hoping to have the Reaction framework completed which will provide you a way to hook Bro together with external devices which can block traffic or take other actions.  These two frameworks should cover this use case really well.  Unfortunately Bro's not quite there yet.

> 1. Is it possible to query a DB from BRO scripts? is there any examples?

Not yet, but we have another option that will almost certainly work well for your scenario.  BroControl (broctl) has an "update" command which can update variables defined as const at runtime.  You can use the update command if you maintain your list of subnets in a variable like this:

const block_these_networks = { 
	1.2.3.0/24,
	6.5.4.0/24,
} &redef;

You would be able to change the values in that script then go into BroControl and run the "check" command to make sure that your script doesn't have any syntax errors.  Then run "install", then "update".  That will update all const values in all Bro instances (in the event that you are running a cluster).

Feel free to ask again if you need more help.  We are working on making many of these jobs easier with each release.

> 2. Assuming yes, should i implement this logic at the 'new_connection' event? (I would like to drop connections from these IP's as soon as possible).


Yes, I think new_connection would work.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list