Hello everyone,
I am looking for possibilities to connect several Bro Systems like it
is descibed in Broccoli API from Christian Kreibich. I did not find
something in the Bro manual.
Is there a possibility to send events encrypted from one Bro host to
another by using policy scripts?
Thanks,
Alexander Scholz
             
            
              
              
              
            
            
           
          
            
            
              Hi Alex,
Hello everyone,
I am looking for possibilities to connect several Bro Systems like it
is descibed in Broccoli API from Christian Kreibich. I did not find
something in the Bro manual.
Is there a possibility to send events encrypted from one Bro host to
another by using policy scripts?
oh definitely! It's more like Broccoli is the special case, not Bro-Bro
communication. 
It's all done using the same table that you use to configure just the
Bro end in Bro-Broccoli exchanges. Look at the definition of the
Destination record type in remote.bro. All of these fields can be set by
individual entries in the destinations table.
For example, this is the configuration of the responding host for
Broccoli's broping example:
redef Remote::destinations += {
        ["broping"] = [$host = 127.0.0.1, $events = /ping/, $connect=F, $ssl=F]
};
The corresponding configuration for a Bro node sending out the pins
would be:
redef Remote::destinations += {
        ["broping"] = [$host = 127.0.0.1, $events = /pong/, $connect=T, $ssl=F]
};
Notice that the "pinger" subscribes to "pong" events, and the "ponger"
subscribes to "ping" events. Also, "connect" is true in one case but
false in the other -- that's how you configure who established the
connection. To enable SSL, set $ssl=T on both ends. The configuration of
SSL certificates remains unchanged from how it's described in the
Broccoli docs.
Hope this helps -- good luck!
Cheers,
Christian.