[Bro] Developing my own writer driver
Luis Miguel Silva
luismiguelferreirasilva at gmail.com
Wed Jan 28 11:37:02 PST 2015
Cool! And since you talked about multiple remote sensors, let me ask
another question that I'm really curious about...
Lets imagine that I have a low end machine capturing traffic and want to
send the prefiltered events into a more beefy remote machine for analysis
and event capturing. Can I do that?
Based on bro's Input framework, I believe I can redirect an entire tcpdump
into it BUT, I want *some* filtering to happen upfront, though the MAIN
processing work should be executed somewhere else.
>From what I understood (based on this architectural description
<https://www.bro.org/sphinx/cluster/index.html>), my low end computer in
charge of the sniffing would run the "manager" code and my beefy machine(s)
would run the workers. Is that how I would set things up?
And who writes the outputs, is it the workers OR do the workers pass the
result back to the manager?
Thank you,
Luis
On Wed, Jan 28, 2015 at 12:22 PM, John Green <john at giggled.org> wrote:
> On 28 January 2015 at 19:01, Luis Miguel Silva
> <luismiguelferreirasilva at gmail.com> wrote:
> > Out of curisotiy, why didn't you create a custom writer instead?
> > ...simplicity?
>
> At the time simplicity and I had multiple remote sensors with
> restricted network connectivity. I would rsync, or physically
> transfer, the completed logs back to a central postgres server for
> import and analysis. Real time alerting wasn't that important.
>
> Getting the data into Postgres did facilitate the writing of some
> useful SQL queries to spot odd/malicious behaviour. If I was doing it
> again I probably investigate using Postgres Foreign Data Wrappers
> instead.
>
> John
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150128/2bd83f27/attachment.html
More information about the Bro
mailing list