[Bro-Dev] Notice::Info$src
Robin Sommer
robin at icir.org
Tue Nov 1 08:17:31 PDT 2011
I know we've talked about this a few times, but I don't remember what
the final verdict was: what's the semantics of the "src" field in
Notice::Info now?
The comment says:
## Source address, if we don't have a :bro:type:`conn_id`.
src: addr &log &optional;
But the Server_Found notice sets it like this:
NOTICE([$note=Server_Found,
$msg=fmt("%s: %s server on port %s%s", c$id$resp_h, s, c$id$resp_p, (known ? " (update)" : "")),
$p=c$id$resp_p, $sub=s, $conn=c,
$src=c$id$resp_h, $n=a]);
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the bro-dev
mailing list