input-framework file locations

I have been thinking and trying different things but for now, it appears that if we are to share policies around, there is no easy way to be able to distribute input-files along with policy files.

Basically, right now I use

redef Scan::whitelist_ip_file = "/usr/local/bro/feeds/ip-whitelist.scan" ;

and then expect everyone to edit path as their setup demands it and place accompanying sample file in the directory or create one for themselves - this all introduces errors as well as slows down deployment.

Is there a way I can use relative paths instead of absolute paths for input-framework digestion. At present a new-heuristics dir can have __load__.bro with all policies but input-framework won't read files relative to that directory or where it is placed.

redef Scan::whitelist_ip_file = "../feeds/ip-whitelist.scan" ;

Something similar to __load__.bro model

Also, one question I have is should all input-files go to a 'standard' feeds/input dir in bro or be scattered around along with their accompanied bro policies (ie in individual directories )

Something to think about as with more and more reliance on input-framework i think there is a need for 'standardization' on where to put input-files and how to easily find and read them.


@DIR gives you the path to the directory the current script is located
in. Does that help?


[ re-igniting an OLD thread ]

OK so @DIR sort of works.

I've used this as

global smtp_indicator_feed= fmt
("%s/feeds/smtp_malicious_indicators.out",@DIR) &redef ;

Problem is: @DIR gives the path of the directory where script is residing.

So when I do broctl install - all the scripts go into :

so while file is referenced correctly and input-data is read just
fine. Humans or no other process can now append to the input file

Does the problem make sense ?

I think I am looking for something which can point back to a 'static' path.

Huh, that's definitely a problem that I can see limiting people. What you might want to do is reference a particular directory and having instructions for people that they need to make it writable by the user running the Bro process (and the directory could be redef-able).

Alternately, it looks like you're only using that to persist state across executions. Is that right? If you're doing that, then you could possibly get away with storing in $TMP.

Once Broker is in Bro, you can use Broker data stores to store and retrieve your data.