[Bro] BRO and SQL
Jim Mellander
jmellander at lbl.gov
Fri Oct 26 16:04:58 PDT 2012
Resurrecting an old thread.
Seth's information on "broctl update", reproduced below has proven useful
to us when changing const variables (sounds like a contradiction!), such as
maintanance of whitelists or blacklists, without restarting bro. I've been
thinking about some use cases of redef'ing consts, where I would like to
cook the data in the consts. This I typically do with a bro_init event
handler when bro starts up. Is there some way to trigger an event when
these updates occur, so that the updated variable can be recooked?
Thanks in advance
On Thu, Feb 2, 2012 at 5:44 AM, Seth Hall <seth at icir.org> wrote:
> <snip>
>
> Not yet, but we have another option that will almost certainly work well
> for your scenario. BroControl (broctl) has an "update" command which can
> update variables defined as const at runtime. You can use the update
> command if you maintain your list of subnets in a variable like this:
>
> const block_these_networks = {
> 1.2.3.0/24,
> 6.5.4.0/24,
> } &redef;
>
> You would be able to change the values in that script then go into
> BroControl and run the "check" command to make sure that your script
> doesn't have any syntax errors. Then run "install", then "update". That
> will update all const values in all Bro instances (in the event that you
> are running a cluster).
>
> Feel free to ask again if you need more help. We are working on making
> many of these jobs easier with each release.
> <snip>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121026/a22e130f/attachment.html
More information about the Bro
mailing list