[Bro] piped_exec

Seth Hall seth at icir.org
Wed Jan 23 06:15:54 PST 2013


On Jan 23, 2013, at 8:08 AM, Fahime Alizade <alizade.ce at gmail.com> wrote:

> every thing goes well with worker. The script will be run but in manager side it does not execute the shell script file.

If you run that script on a cluster, the piped_exec command will be run where the traffic is being seen (the worker).  The manager will never run it.

What you likely want to do is allow your workers to generate notices and use the Notice::policy to make your manager execute your shell script.  Something like this…

redef Notice::policy += {
	[$pred(n: Notice::Info) = { 
		if ( n$note == TCP::TEST )
			{
			local cmd = fmt("/usr/local/bro/share/bro/site/test.sh");
			piped_exec(cmd, fmt("%s", n$id$orig_h));
			}
		return F;
	 },
	 $action=Notice::ACTION_NONE]
};

I haven't tested this code so there may be some issue(s) with it. :)

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list