[Bro-Dev] Portmapper logging
Vern Paxson
vern at icir.org
Mon Dec 6 09:57:00 PST 2010
> I dug around and checked how portmapper.bro does logging, notices, and
> interaction with other policy scripts. It seems that it
Yeah, portmapper.bro is in fact one of the earliest script components that
tackled complex protocols interactions at the scripting level. (The other
is FTP.) Because it predates the whole notice framework, it has a bunch
of cruft that approximates the sort of policy filtering that later gave
birth to notices.
> * The notices generation is very convoluted. I was wondering whether it
> makes sense to clean that up. (the attached file at least documents
> the behavior).
I am a *strong* believer in don't fix things like this unless there's a
pressing need. I'm assuming your interest here is driven by the NFS
analysis for the enterprise traces. If so, it would make sense to fix
(solely) those things necessary to expedite that analysis. But don't go
further; it's too much of a potential time sink (cleaning up code can be
beguilingly fun :-) for insufficient benefit.
Vern
More information about the bro-dev
mailing list