[Bro-Dev] Autodoc: how to link to another script?
Seth Hall
seth at icir.org
Wed Aug 10 13:22:45 PDT 2011
On Aug 10, 2011, at 4:13 PM, Gregor Maier wrote:
> sounds good to me. However, I wouldn't put it in base. I think the default should be to not decapsulate tunnels!
I agree. I think we should have a configuration variable to enable it, but the support for *how* it's actually accomplished and logged seems like something that should be in the base.
> Yeah. People using awk will hate that....
> (But I'm using mostly python these days anyways)
Actually they won't! I'm not sure how it will look in the end, but it's going to be something like this (Gilbert can give more and better detail):
ds2txt -s $'\t' -f host,uri,referrer http.ds.* | awk -F $'\t' '{if ($1 == "www.google.com") print}'
You get to dynamically create your own column ordering which will stay consistent since you're defining it at search time. The awk use-case is one that I'm trying to make sure is really nice because I use awk for a lot of stuff too. :)
> That's what's worrying me: people assuming a fixed ordering when writing analysis scripts. We should probably just mention this somewhere in the Getting Starting and From 1.5 to 2.0 HowTo.
Good point.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list