[Bro-Dev] Autodoc: how to link to another script?

Gregor Maier gregor at icir.org
Wed Aug 10 11:41:00 PDT 2011 

On 8/10/11 11:22 , Seth Hall wrote:
>
> On Aug 10, 2011, at 2:17 PM, Gregor Maier wrote:
>
>> Or maybe a more general question for best practices: In my tunnel branch
>> I've added an optional column to conn.log showing to tunnel information.
>
> Where have you done this extension?  One of the rules of thumb I've been trying to follow is that frameworks don't depend on protocols.
>

The connection record type has an optional field tunnel_parent. I 
actually added that in bro.init, since I forgot that we can now extend 
records with +=.

from bro.init:

----8<------
module Tunnel;
export {
     ## Records the identity of a the parent of a tunneled connection.
     type parent_t: record {
         ## The 4-tuple of the tunnel "connection".
         cid: conn_id;
         ## The type of tunnel.
         tunnel_type: tunneltype_t;
     } &log;
} # end export
module GLOBAL;

type connection: record {
     [the other fields]
     tunnel_parent: Tunnel::parent_t &optional;
};
----8<------

I could actually add this tunnel_parent field in my tunnel.bro script 
that logs child-conn-id <--> parent_t


However, today I thought it might be handy to at least add the 
tunneltype to conn.log as and indicator whether a particular connection 
was tunneled or not. That's why I added a "tunnel_type" field to the 
Conn::Info record (in conn.bro).
So, while I directly modified the conn/main.bro script, it doesn't 
depend on the code in the framework part. Not sure what you mean by
"depend" though.

I guess I could also try to extend Conn::Info in tunnel.bro, right. 
However, if multiple scripts to this, then the order of columns in 
conn.log would depend on the order in which these scripts are 
loaded..... Thinking of this some more, I think that the http-scripts 
already do this, so the order of columns isn't well-defined anyways, 
right? And if somebody writes a script to parse a bro log file, then one 
has to check the header, right?


cu
gregor
-- 
Gregor Maier
<gregor at icir.org>  <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA
http://www.icir.org/gregor/

More information about the bro-dev mailing list