Broccoli + Intel framework

Is there a recommended way to modify Bro data on the fly with Broccoli, and to have those changes saved upon a restart of Bro?

I’ve looked at the Intel framework, thinking that broccoli could update files on disk (which then get automatically read into the intel framework), but it seems like a bit of a roundabout method.

  1. What are other people using to update bro variables/configs/tables on the fly? Is Broccoli the best tool to use?

  2. What is the best method of updating bro variables using broccoli so that they get kept between bro restarts?

Thanks,

B Little

1) What are other people using to update bro variables/configs/tables on the fly? Is Broccoli the best tool to use?

Broccoli does well for cases where transient data is handed of to a Bro peer for further processing and where that data can't easily originate from a different Bro process (for some tasks you might be able to have one long-running Bro process and just start up a different Bro process that connects to it and sends some events when you need to).

2) What is the best method of updating bro variables using broccoli so that they get kept between bro restarts?

Broccoli could probably also do alright for sending persistent data to Bro if you use the &persistent attribute on the variables of interest. A downside may be that the storage it uses won't be directly readable/modifiable by anything other than a Bro process.

An alternative is to use the input framework for data that's supposed to persist across Bro restarts, but also be modifiable (by human or some other script/program) at runtime. The scripts at [1] are a working example of this. The intel framework may also be usable for your situation, but it's also just using the input framework internally which you can use directly if you need the flexibility.

- Jon

[1] https://github.com/jsiwek/bro_vetting