> + - On the osquery side, we need to assemble the event for sending > + to Broker. Generally, the columns returned by the ``SELECT`` > + will turn into the event's arguments. In addition, we add an > + always-present ``h: Host`` argument. The event arguments' types > + need to be mapped from what osquery returns to Broker types > + (which, in turn, correspond to Bro types); see next bullet. > + > + - It seems there are two possible ways of doing the type conversion: > + > + 1. Hardcoding: The osqery plugin retrieves the query response, > + iterates through its columns and builds up a Broker event > + to then send out. > + > + .. note:: > + > + I'm not quite sure what interface(s) osquery provides > + for extracting results. On the web page, I see JSON; not > + sure if there's something more direct. > + > + 2. Leveraging JSON: We can also extend Broker with a JSON > + interface, so that the osqery plugin can forward a JSON > + response directly. For this, we would: > + > + - Extend Broker's API with a function that builds an > + event from JSON; with some predefined mapping of how > + JSON values turn into Broker values. > + > + - Then call that function from the osquery plugin. > + > + Option (2) would actually be a nice interface for Broker to > + have anyways, as it opens it up to ingesting input from a > + variety of other JSON sources as well (we could write a an > + ingestion daemon that opens up a socket to which web > + applications can post JSON; but that's a different topic :).
I’m not sure what the difference between (1) and (2) is? Either one seems to do a JSON -> Broker-data conversion, the difference is just in whether that conversion code lives in the application that uses Broker or in the Broker library itself. I don’t think Broker itself is in any better position to actually do the conversion. Not opposed to putting such a example/template in Broker, just saying it may not be required to get the job done. A third idea: it seems like here it would be doing a JSON -> Broker-data -> Bro-value conversion, instead can Broker messages/events just be specified in terms of a JSON string parameter, then leave JSON -> Bro-value conversion up to Bro? Teaching Bro a good way to interface directly w/ JSON might also be beneficial in other areas. - Jon _______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
