BroCtl plugin - Hooking into install command (UNCLASSIFIED)


I've developed a custom BroCtl plugin which attempts to hook into the install command before it executes (i.e., I'm overriding cmd_install_pre()) so that a configuration defined elsewhere in /usr/local/etc can be read and the various Bro configuration files (e.g., node.cfg, networks.cfg, etc.) can be adjusted as a result. This basically works, but I have noticed that it seems like I have to run broctl install *twice* in order to make BroCtl and/or Bro realize the new configuration. Otherwise, Bro crashes and BroCtl tells me to look at the diagnostics using the diag command when I do a broctl start. The actual error messages vary but they all seem to suggest that something in Bro isn't reading in my new configuration as defined in the various Bro configuration files. I have verified that those files are actually updated to what I want prior to running broctl start.

Any ideas what might be going on? Am I missing something?

The problem here is that broctl reads the config files when broctl starts up, not
when the "install" command is run, so by the time your pre-install plugin
runs, the config files have already been read.

Have you tried a pre-deploy plugin (i.e., cmd_deploy_pre)?
That might be a better fit for what you're trying to accomplish,
unless there's some reason why you would prefer to not use the
deploy command.


Thanks for the recommendation! I'll take a look.