This was a year long project I worked with Prof. Eric Keller, Matt Monaco, and Oliver Michel on to integrate the Bro intrusion detection system (IDS) into our own Yanc SDN controller. My main goal was to implement the ability to change scripts variables on the fly for the same scripts on multiple devices through a single controller unit.
Object Oriented Python, Bro IDS, Broccoli API, FUSE, Git
This was the first serious open source project that I worked on in an academic context. I had had some experience with Bro in my job at our campus Network security office, yet I had never really had any opportunities to create anything with it beyond simple scripts. Working through the Broccoli API to interface with Bro through a Python application, I implemented the ability to change multiple scripts in real time from a single controller program. I did this by creating custom Bro modules (think header files) that would be pre-programmed with the information to communicate with the controller unit. This controller program was python application would parse terminal input into global commands for a potential cluster of Bro devices each running the same script but with different variables by device. Imagine you had 4 Bro devices on a network and they each alert you when someone connects to a different IP address. You can change this IP on each of them so they alert you at different times. I had never really used Python classes before, so it was a learning experience coming from the behemoth that is Java OOP. I hope to continue this project into 2015 by implementing a quality of service system regulating how Bro gets its data to run its scripts on.
Hard Lessons Learned
The biggest learning experience for me on this project was the right way to work with objects. I had originally intended to have a purely functional program, but as I started working with the complex system of sockets that Broccoli uses, I found making connection classes to be far more comprehensible and scalable.
Soft Lessons Learned
I learned how to work with a group on larger open source project in an academic context. I had no idea how important performance testing is, not just to see how well the program works, but whether it even really works at all. Also, much of the functionality I implemented would have only required slight modifications to the Bro Control program.