[Bro] Best Way to Dynamically Update Signatures?

[Michael Kortekaas]

Bro Community,

I currently have a Bro script that downloads and dynamically updates Intel
data from a central source. It is a scheduled event running in Bro so it
doesn't require a check/restart. I need to create a similar type mechanism
for signatures but the only documentation I can find seems to indicate that
I need to use @load-sigs and have a file available at startup. However I do
need the ability to update signatures on a fairly frequent basis.

Although I opted not to use Intel data files which have the feature of
reloading when modified, I am wondering if a similar feature exists for
.sig files.

Signatures appear to be the type of data that would be stored in a data
structure rather than compiled as code. Is there a corresponding API for
accessing (add, update, remove) the signature data from a Bro script?

Another potential is to write a Python script to update the signature file
and have it trigger a reload of Bro. Rather than forcing Bro to shut down
and restart for a signature file update at an arbitrary time that could
interfere with normal processing, is there a regular event/operation where
this reload could/should be triggered for minimal impact?

Or, is there another mechanism for signature updates that I have not yet
considered? Any related issues or considerations regarding Bro clusters
would be useful to know as well.

Any help or insight into how best to dynamically update signatures would be
much appreciated.

Regards,

Michael Kortekaas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180531/ebc6b7c5/attachment.html