[Bro-Dev] notice actions
Seth Hall
seth at icir.org
Tue Jul 19 17:31:28 PDT 2011
On Jul 19, 2011, at 5:58 PM, Robin Sommer wrote:
> Is it sufficient to record just the notice item but not the action
> type? Then you could do just set[count].
You wouldn't be able to do the membership checks anymore. They're done like this now...
if ( ACTION_EMAIL in n$actions )
email_notice_to(n, mail_dest, T);
> Or you do the table but manually turn it into a string for logging.
Yeah, I thought of that. It just feels really hacky and I've trying to avoid things that feel hacky. :)
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list