[Bro-Dev] Updating / Accessing ConnVal from child analyzers
Vern Paxson
vern at icir.org
Fri Dec 10 18:16:55 PST 2010
> > Here's another idea:
> >
> > - move UpdateEndpointVal() from TransportAnalyzer to Analyzer
> >
> > - have BuildConnVal() iterate over the analyzer tree and call
This sounds good to me too.
> One disadvantage is now, that analyzers can change the actual ConnVal,
> including starttime.
This doesn't strike me as a significant problem in practice. It's not as
though we're dealing with adversarial Analyzer's :-).
> What we could do though is to add an additional RecordVal to ConnVal,
> that analyzers can overwrite:
That strikes me as more complexity than is merited if the only concern is
isolating what Analyzers can do. (However, maybe this would be reasonable
as a generalization of $history.)
Vern
More information about the bro-dev
mailing list