rita icon indicating copy to clipboard operation
rita copied to clipboard

Published 20 hours ago verified publisher icon activecm

Bro to MongoDB Direct Connect Plug In

Open Zalgo2462 opened this issue 7 years ago • 2 comments

Bro IDS possesses an extensible architecture allowing for new code to be distributed and ran along side it. In particular, it allows plugins to define new log writers. In theory, a plugin to write Bro data to MongoDB directly could be written.

Unfortunately, there isn't great documentation on how to go about doing this.

http://supbrosup.blogspot.com/2014/09/bro-plugins.html describes the process of making a C++ function available to Bro via the plugin system.

https://github.com/0xxon/bro-postgresql is an example of a Bro plugin which writes to an SQL server.

https://github.com/bro/bro/blob/master/src/logging is the source code for the logging plugin framework. It appears to be well documented from a code perspective.

Zalgo2462 avatar May 22 '17 20:05 Zalgo2462

I'm currently working with the bro team to improve this documentation as a part of my efforts to update and improve the bro Kafka writer plugin. I'll provide updates here as I have them.

JonZeolla avatar May 22 '17 21:05 JonZeolla

https://github.com/ocmdev/bro-mongodb Work has begun on a Bro to MongoDB plugin. Currently it does not support rolling over databases day by day. Additionally, #150 blocks the use of the plugin.

Zalgo2462 avatar Dec 14 '17 20:12 Zalgo2462