Bro currently comes with native support for Endace cards (i.e.,
using the Endace API directly, not via their libpcap-compatible
interface).
The support is enabled by configuring with --with-dag. As we're
cleaning up the Bro distribution, we were wondering if anybody is
using this functionality and would object seeing it removed?
Robin
Hello,
Can someone please point to some info on how does Bro currently support
to remotely reconfigure a sensor? Any example would also be appreciated.
I want to configure Bro to allow remote reconfiguration of sensors
without shutting down the sensor. One particular case I am interested in
is telling a Bro sensor to include/exclude a .bro script while running.
For example, a sensor starts with 'bro http' and then later is
reconfigured to 'bro http ssh'.
I briefly talked to Robin and Seth on regards to this so sorry to bring
it up again. But seems like I missed some important pointers, can't find
where/how to proceed with this. Have been successful sharing state
between remote sensors, like bro-to-bro comm from 2009 workshop, but not
doing remote reconfiguration.
Many thanks,
Gaspar
Hi Robin,
I'm posting this on behalf of the Endace CEO, Stuart Wilson as he is
not a member of this list and is unable to post. Note that I also
work for Endace, but am subscribed here with my personal address:
Hi Robin.
We’re seeing need from the Government space to retain this, and of
course we’d like to see it retained as well.
We’re happy to put some work to maintain it if you can leave it in
please. Updating to the latest drivers etc. might be useful.
Thanks,
Stuart Wilson
We have an Endace card and I would like to give Bro a shot on it at
some point in the future.
Excuse my ignorance, but what benefits are gained from using the native API as opposed to using the customized libpcap?
.Seth
We’re seeing need from the Government space to retain this, and of
course we’d like to see it retained as well.
Hmm ... As I had not heard from anybody in reply to my original
mail, we have actually already moved ahead and removed the code from
the current development version. We are in the process of
restructuring Bro's packaging and installation setup, and while
doing so, we are removing a number of things that don't appear to be
in serious use anywhere, primarily to reduce the future maintainace
burden.
Do you have an idea how many sites will be affected by not having
the Endace API support in Bro? What is actually the advantage of
using the native API over the libpcap wrapper (which is what
everbody I heard from is currently doing already)?
We’re happy to put some work to maintain it if you can leave it in
please.
Thanks for the offer. I think what we could do is postpone this for
now until we get closer to the next release and then revisit the
question and potentially add the support back in if that would be
really helpful for some sites. Doing so should generally be pretty
straight-forward but we'd indeed need some help with that to make
sure it's working as expected as we don't have any of the cards
available ourselves. Does that sound ok for now?
Robin