input-framework file locations

Aashish_Sharma1 · July 8, 2016, 11:59pm

I have been thinking and trying different things but for now, it appears that if we are to share policies around, there is no easy way to be able to distribute input-files along with policy files.

Basically, right now I use

redef Scan::whitelist_ip_file = "/usr/local/bro/feeds/ip-whitelist.scan" ;

and then expect everyone to edit path as their setup demands it and place accompanying sample file in the directory or create one for themselves - this all introduces errors as well as slows down deployment.

Is there a way I can use relative paths instead of absolute paths for input-framework digestion. At present a new-heuristics dir can have __load__.bro with all policies but input-framework won't read files relative to that directory or where it is placed.

redef Scan::whitelist_ip_file = "../feeds/ip-whitelist.scan" ;

Something similar to __load__.bro model

Also, one question I have is should all input-files go to a 'standard' feeds/input dir in bro or be scattered around along with their accompanied bro policies (ie in individual directories )

Something to think about as with more and more reliance on input-framework i think there is a need for 'standardization' on where to put input-files and how to easily find and read them.

Aashish

robin · July 9, 2016, 12:41am

@DIR gives you the path to the directory the current script is located
in. Does that help?

Robin

Aashish_Sharma1 · August 25, 2017, 8:56pm

[ re-igniting an OLD thread ]

OK so @DIR sort of works.

I've used this as

global smtp_indicator_feed= fmt
("%s/feeds/smtp_malicious_indicators.out",@DIR) &redef ;

Problem is: @DIR gives the path of the directory where script is residing.

So when I do broctl install - all the scripts go into :
../spool/installed-scripts-do-not-touch/

so while file is referenced correctly and input-data is read just
fine. Humans or no other process can now append to the input file
anymore.

Does the problem make sense ?

I think I am looking for something which can point back to a 'static' path.

seth · August 29, 2017, 1:48am

Huh, that's definitely a problem that I can see limiting people. What you might want to do is reference a particular directory and having instructions for people that they need to make it writable by the user running the Bro process (and the directory could be redef-able).

Alternately, it looks like you're only using that to persist state across executions. Is that right? If you're doing that, then you could possibly get away with storing in $TMP.

Once Broker is in Bro, you can use Broker data stores to store and retrieve your data.

.Seth

Topic		Replies	Views
script loading implementation Development development	9	161	May 6, 2022
Hui Lin_Input framework to load data from files in remote machines Zeek	2	109	May 6, 2022
Hui Lin_default path to load .bro policy file Development development	2	85	May 6, 2022
Loading directories Development development	11	200	May 6, 2022
Script reorg proposal Development development	27	237	May 6, 2022

input-framework file locations

Related topics