I currently have a Bro script that downloads and dynamically updates Intel data from a central source. It is a scheduled event running in Bro so it doesn’t require a check/restart. I need to create a similar type mechanism for signatures but the only documentation I can find seems to indicate that I need to use @load-sigs and have a file available at startup. However I do need the ability to update signatures on a fairly frequent basis.
Although I opted not to use Intel data files which have the feature of reloading when modified, I am wondering if a similar feature exists for .sig files.
Signatures appear to be the type of data that would be stored in a data structure rather than compiled as code. Is there a corresponding API for accessing (add, update, remove) the signature data from a Bro script?
Another potential is to write a Python script to update the signature file and have it trigger a reload of Bro. Rather than forcing Bro to shut down and restart for a signature file update at an arbitrary time that could interfere with normal processing, is there a regular event/operation where this reload could/should be triggered for minimal impact?
Or, is there another mechanism for signature updates that I have not yet considered? Any related issues or considerations regarding Bro clusters would be useful to know as well.
Any help or insight into how best to dynamically update signatures would be much appreciated.