Bro log into MySQL

You can find a patch for the bro "CURRENT" release which enables you to log in a MySQL database at http://manux.rstack.org/bro_mysql.

It requires the library MySQL++.
It uses a new bro bif called log_external which logs alerts according to a method passed as an argument.

With this patch the only supported method is ALERT_LOG_EXTERNAL_SQL which logs in a MySQL database.

A basic bro script that uses this method is given as an example (policy/test.bro).

For instance:
[paul@duncan bro-pub-0.8a48.dev-mysql]$ ./bro -r example-attacks/ftp-site-exec.trace test
976284129.459304 0.91239 other-3914 431 0 38.33.11.127 131.243.169.116 SF X
976284140.775142 0.567636 other-3915 304 0 38.33.11.127 131.243.169.116 SF X
...

Manu,

Thanks for sharing the code.
Attached is my simple perl/DBI script(dbi-bro.pl) without change
original bro code.

Just pipe the log output to dbi-bro.pl, such as

# bro -r trace.1 ./mypolicy.bro | dbi-bro.pl

But when I use live traffic, I can't pipe or redirect the log output to
the script, even a file. I don't know why.

Hongjie

== dbi-bro.pl

#! /usr/bin/perl

use DBI;

# configuration variables
$dbhost='localhost';
$dbname='dbname';
$dbuser='username';
$dbpass='passwd';

$table='tablename';

$dsn = "DBI:mysql:dbname=$dbname;host=$dbhost";

$dbh = DBI->connect($dsn, $dbuser, $dbpass) ||
        die "database error: $DBI::errstr" ;

$sth = $dbh->prepare("INSERT INTO $table
                      VALUES (?,?,?,?,?,?,?,?,?,?)");

$PerlParsingFormat="([\\d|-]+)\.([\\d|-]+) ([^ ]+) ([^ ]+) ([\\d|-]+)
([\\d|-]+) ([^ ]+)
([^ ]+) ([^ ]+) ([^ ]+)";

while (<>) {
        @field=map(/^$PerlParsingFormat/,$_);
        $sth->execute(@field) ;
}