I have been thinking and trying different things but for now, it appears that if we are to
share policies around, there is no easy way to be able to distribute input-files along
with policy files.
Basically, right now I use
redef Scan::whitelist_ip_file = "/usr/local/bro/feeds/ip-whitelist.scan" ;
and then expect everyone to edit path as their setup demands it and place accompanying
sample file in the directory or create one for themselves - this all introduces errors as
well as slows down deployment.
Is there a way I can use relative paths instead of absolute paths for input-framework
digestion. At present a new-heuristics dir can have __load__.bro with all policies but
input-framework won't read files relative to that directory or where it is placed.
redef Scan::whitelist_ip_file = "../feeds/ip-whitelist.scan" ;
Something similar to __load__.bro model
Also, one question I have is should all input-files go to a 'standard'
feeds/input dir in bro or be scattered around along with their accompanied bro policies
(ie in individual directories )
Something to think about as with more and more reliance on input-framework i think there
is a need for 'standardization' on where to put input-files and how to easily
find and read them.