Bro log into MySQL

You can find a patch for the bro "CURRENT" release which enables you to log in a MySQL database at

It requires the library MySQL++.
It uses a new bro bif called log_external which logs alerts according to a method passed as an argument.

With this patch the only supported method is ALERT_LOG_EXTERNAL_SQL which logs in a MySQL database.

A basic bro script that uses this method is given as an example (policy/test.bro).

For instance:
[paul@duncan]$ ./bro -r example-attacks/ftp-site-exec.trace test
976284129.459304 0.91239 other-3914 431 0 SF X
976284140.775142 0.567636 other-3915 304 0 SF X


Thanks for sharing the code.
Attached is my simple perl/DBI script( without change
original bro code.

Just pipe the log output to, such as

# bro -r trace.1 ./mypolicy.bro |

But when I use live traffic, I can't pipe or redirect the log output to
the script, even a file. I don't know why. :frowning:



#! /usr/bin/perl

use DBI;

# configuration variables


$dsn = "DBI:mysql:dbname=$dbname;host=$dbhost";

$dbh = DBI->connect($dsn, $dbuser, $dbpass) ||
        die "database error: $DBI::errstr" ;

$sth = $dbh->prepare("INSERT INTO $table
                      VALUES (?,?,?,?,?,?,?,?,?,?)");

$PerlParsingFormat="([\\d|-]+)\.([\\d|-]+) ([^ ]+) ([^ ]+) ([\\d|-]+)
([\\d|-]+) ([^ ]+)
([^ ]+) ([^ ]+) ([^ ]+)";

while (<>) {
        $sth->execute(@field) ;