[Bro] Best practice on how to customize an officially distributed script

Luis Miguel Silva luismiguelferreirasilva at gmail.com
Mon Feb 2 08:51:34 PST 2015 

...by the way, I should have said this in my previous email...
I do not think I can simply look at the DHCP info, seeing that some of the
hosts in my network MIGHT have statically defined ip addresses. The
known-hosts script looks at src and dest ip addrs to figure out who's out
there, right?

Thanks,
Luis

On Mon, Feb 2, 2015 at 9:49 AM, Luis Miguel Silva <
luismiguelferreirasilva at gmail.com> wrote:

> I haven't given that much thought about how I'm going to capture the mac
> addr right now. :o)
> My first concern was to understand what are the best practices to
> customize an existing stock script.
>
> For instance, I don't know if it is possible to overload / extend other
> script's functions? If so, I'm interested in that, seeing as I do not want
> to replace / customize ALL script functionality.
>
> Originally, I had thought about running an arp query of some sort (maybe
> calling out an external script, which I'm guessing should be possible?)  to
> figure out what the mac is for each local ip addr. Is there a more elegant
> / scalable way to do it?
>
> Thank you,
> Luis
>
>
> On Mon, Feb 2, 2015 at 8:53 AM, Seth Hall <seth at icir.org> wrote:
>
>>
>> > On Feb 2, 2015, at 12:35 AM, Luis Miguel Silva <
>> luismiguelferreirasilva at gmail.com> wrote:
>> >
>> > I would like to change the known-hosts.bro script to log both the ip
>> and macaddr for all known hosts in my network.
>>
>> Are you collecting mac addresses from the DHCP analyzer?
>>
>> > What are the best practices for customizing scripts that ship with bro
>> (e.g. distributed in the /usr/share/bro/* directory)?
>> > Am I supposed to just:
>> > - copy the script I want to customize to my share/bro/site/
>> > - and change local.bro to load the script in share/bro/site/ instead of
>> share/bro/policy/protocols/conn/known-hosts.bro?
>>
>> That’s probably the best option.  At the very least, if you’re loading
>> the one out of your site directory you won’t have to worry about
>> interfering with the one in the policy directory.
>>
>>   .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro.org/
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150202/367692f2/attachment.html

More information about the Bro mailing list