Bro to MongoDB Direct Connect Plug In

[Zalgo2462]

Bro IDS possesses an extensible architecture allowing for new code to be distributed and ran along side it. In particular, it allows plugins to define new log writers. In theory, a plugin to write Bro data to MongoDB directly could be written.

Unfortunately, there isn't great documentation on how to go about doing this.

http://supbrosup.blogspot.com/2014/09/bro-plugins.html describes the process of making a C++ function available to Bro via the plugin system.

https://github.com/0xxon/bro-postgresql is an example of a Bro plugin which writes to an SQL server.

https://github.com/bro/bro/blob/master/src/logging is the source code for the logging plugin framework. It appears to be well documented from a code perspective.

[JonZeolla]

I'm currently working with the bro team to improve this documentation as a part of my efforts to update and improve the bro Kafka writer plugin. I'll provide updates here as I have them.

[Zalgo2462]

https://github.com/ocmdev/bro-mongodb Work has begun on a Bro to MongoDB plugin. Currently it does not support rolling over databases day by day. Additionally, #150 blocks the use of the plugin.