[Bro-Dev] Opinions on trace rewriter?

Vern Paxson vern at icir.org
Mon Oct 25 10:31:16 PDT 2010


> What are the opinions on completely removing the trace rewriter from
> the Bro code base?

I would like to keep it.  I hear you on the benefits of removing.  However:

> Cons:
> 
> - It's pretty cool functionality and nobody else has it. 

Yep.  It remains a striking demonstration of what's possible, IMHO, plus
it has for me a flavor of potentially leading to serendipitous uses.  Also:

> I really like the rewriting but I'm thinking it would be better done
> in an external tool than inside Bro itself. 

It doesn't make sense as an external tool.  It uses the coupling between
Bro event generation and Bro policy scripts to do the rewriting.  You'd
have to write Bro all over again.

Now, if you're willing to pledge that BinPAC++ will support rewriting
functionality .... then I could see removing the existing code. :-)

		Vern



More information about the bro-dev mailing list