[Bro] Broccoli + Intel framework
Siwek, Jonathan Luke
jsiwek at illinois.edu
Mon Jul 8 08:06:39 PDT 2013
On Jul 8, 2013, at 7:11 AM, Brian Little <blittle766 at gmail.com> wrote:
> 1) What are other people using to update bro variables/configs/tables on the fly? Is Broccoli the best tool to use?
Broccoli does well for cases where transient data is handed of to a Bro peer for further processing and where that data can't easily originate from a different Bro process (for some tasks you might be able to have one long-running Bro process and just start up a different Bro process that connects to it and sends some events when you need to).
> 2) What is the best method of updating bro variables using broccoli so that they get kept between bro restarts?
Broccoli could probably also do alright for sending persistent data to Bro if you use the &persistent attribute on the variables of interest. A downside may be that the storage it uses won't be directly readable/modifiable by anything other than a Bro process.
An alternative is to use the input framework for data that's supposed to persist across Bro restarts, but also be modifiable (by human or some other script/program) at runtime. The scripts at [1] are a working example of this. The intel framework may also be usable for your situation, but it's also just using the input framework internally which you can use directly if you need the flexibility.
- Jon
[1] https://github.com/jsiwek/bro_vetting
More information about the Bro
mailing list