[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: Re: [Zeek] Replacing the &synchronized attribute in 2.6
From: Michał Purzyński <michalpurzynski1 () gmail ! com>
Date: 2019-03-15 2:42:56
Message-ID: CAJ6bFK2hFdfPNriD85WfNR4w+2gTW7qBA0DgQpctCtK0Wyefvw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks - this is exactly what I was Googling for (and could not find).
On Thu, Mar 14, 2019 at 11:25 AM Samuel Oehlert <soehlert@es.net> wrote:
> Mike Dopheide wrote a blog post (on the Zeek blog) about that exact topic
> not too long ago. He had spent a lot of time at work fixing a bug with one
> of our policies and had this deep dive in the process. It's a good read.
>
> https://blog.zeek.org/2018/07/broker-is-coming-part-2-replacing.html
>
> - Sam
>
> On Thu, Mar 14, 2019 at 1:19 PM Michał Purzyński <
> michalpurzynski1@gmail.com> wrote:
>
>> Thanks, using the configuration framework is easier indeed.
>>
>> Just for the sake of discussing some broker code - do we have examples
>> how people replace the &synchronized attribute?
>>
>> On Thu, Mar 14, 2019 at 6:00 AM Hosom, Stephen M <hosom@battelle.org>
>> wrote:
>>
>>> Michal,
>>>
>>>
>>> For the use case in your email, the best option available to you is the
>>> Configuration Framework.
>>>
>>>
>>> https://docs.zeek.org/en/stable/frameworks/configuration.html
>>>
>>>
>>> # First file:
>>>
>>> module TestModule;
>>>
>>> export {
>>>
>>> option whitelist_scan_ip: set[subnet] = {};
>>>
>>> redef Config::config_files += { "/path/to/my/config.dat" };
>>>
>>> }
>>>
>>>
>>> # /path/to/my/config.dat:
>>>
>>> TestModule::whitelist_scan_ip = 10.1.2.0/24,10.1.3.0/24,10.1.4.0/24
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Stephen
>>>
>>> ________________________________
>>> From: zeek-bounces@zeek.org <zeek-bounces@zeek.org> on behalf of Jan
>>> Grashöfer <jan.grashoefer@gmail.com>
>>> Sent: Thursday, March 14, 2019 6:02:35 AM
>>> To: zeek@zeek.org
>>> Subject: Re: [Zeek] Replacing the &synchronized attribute in 2.6
>>>
>>> Message received from outside the Battelle network. Carefully examine it
>>> before you open any links or attachments.
>>>
>>> On 14/03/2019 10:43, Michał Purzyński wrote:
>>> > do we have any example how to replace the old &synchronized attribute
>>> in
>>> > the new Broker-powered world? I looked at the documentation (it's
>>> extremely
>>> > verbose) and found nothing that I could relate to.
>>>
>>> https://docs.zeek.org/en/stable/frameworks/broker.html#porting-guide
>>>
>>> I guess data stores are the way to go.
>>> Jan
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek@zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek@zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>
>> _______________________________________________
>> Zeek mailing list
>> zeek@zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
[Attachment #5 (text/html)]
<div dir="ltr">Thanks - this is exactly what I was Googling for (and could not \
find).</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, \
Mar 14, 2019 at 11:25 AM Samuel Oehlert <<a \
href="mailto:soehlert@es.net">soehlert@es.net</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr">Mike Dopheide wrote \
a blog post (on the Zeek blog) about that exact topic not too long ago. He had spent \
a lot of time at work fixing a bug with one of our policies and had this deep dive in \
the process. It's a good read.<div><br></div><div><a \
href="https://blog.zeek.org/2018/07/broker-is-coming-part-2-replacing.html" \
target="_blank">https://blog.zeek.org/2018/07/broker-is-coming-part-2-replacing.html</a><br></div><div><br></div><div>- \
Sam</div></div></div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Thu, Mar 14, 2019 at 1:19 PM Michał Purzyński <<a \
href="mailto:michalpurzynski1@gmail.com" \
target="_blank">michalpurzynski1@gmail.com</a>> wrote:<br></div><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr">Thanks, using the configuration \
framework is easier indeed.<div><br></div><div>Just for the sake of discussing some \
broker code - do we have examples how people replace the &synchronized \
attribute?</div></div><br><div class="gmail_quote"><div dir="ltr" \
class="gmail_attr">On Thu, Mar 14, 2019 at 6:00 AM Hosom, Stephen M <<a \
href="mailto:hosom@battelle.org" target="_blank">hosom@battelle.org</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Michal,<br> <br>
<br>
For the use case in your email, the best option available to you is the Configuration \
Framework.<br> <br>
<br>
<a href="https://docs.zeek.org/en/stable/frameworks/configuration.html" \
rel="noreferrer" target="_blank">https://docs.zeek.org/en/stable/frameworks/configuration.html</a><br>
<br>
<br>
# First file:<br>
<br>
module TestModule;<br>
<br>
export {<br>
<br>
option whitelist_scan_ip: set[subnet] = {};<br>
<br>
redef Config::config_files += { "/path/to/my/config.dat" };<br>
<br>
}<br>
<br>
<br>
# /path/to/my/config.dat:<br>
<br>
TestModule::whitelist_scan_ip = <a href="http://10.1.2.0/24,10.1.3.0/24,10.1.4.0/24" \
rel="noreferrer" target="_blank">10.1.2.0/24,10.1.3.0/24,10.1.4.0/24</a><br> <br>
<br>
<br>
Thanks,<br>
<br>
Stephen<br>
<br>
________________________________<br>
From: <a href="mailto:zeek-bounces@zeek.org" \
target="_blank">zeek-bounces@zeek.org</a> <<a href="mailto:zeek-bounces@zeek.org" \
target="_blank">zeek-bounces@zeek.org</a>> on behalf of Jan Grashöfer <<a \
href="mailto:jan.grashoefer@gmail.com" \
target="_blank">jan.grashoefer@gmail.com</a>><br>
Sent: Thursday, March 14, 2019 6:02:35 AM<br>
To: <a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
Subject: Re: [Zeek] Replacing the &synchronized attribute in 2.6<br>
<br>
Message received from outside the Battelle network. Carefully examine it before you \
open any links or attachments.<br> <br>
On 14/03/2019 10:43, Michał Purzyński wrote:<br>
> do we have any example how to replace the old &synchronized attribute in<br>
> the new Broker-powered world? I looked at the documentation (it's \
extremely<br> > verbose) and found nothing that I could relate to.<br>
<br>
<a href="https://docs.zeek.org/en/stable/frameworks/broker.html#porting-guide" \
rel="noreferrer" target="_blank">https://docs.zeek.org/en/stable/frameworks/broker.html#porting-guide</a><br>
<br>
I guess data stores are the way to go.<br>
Jan<br>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" \
target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a><br> <br>
_______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" \
target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a><br> \
</blockquote></div> _______________________________________________<br>
Zeek mailing list<br>
<a href="mailto:zeek@zeek.org" target="_blank">zeek@zeek.org</a><br>
<a href="http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek" rel="noreferrer" \
target="_blank">http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek</a></blockquote></div>
</blockquote></div>
_______________________________________________
Zeek mailing list
zeek@zeek.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic