[Bro-Dev] Autodoc: how to link to another script?
seth at icir.org
Wed Aug 10 13:29:10 PDT 2011
On Aug 10, 2011, at 4:22 PM, Seth Hall wrote:
> On Aug 10, 2011, at 4:13 PM, Gregor Maier wrote:
>> sounds good to me. However, I wouldn't put it in base. I think the default should be to not decapsulate tunnels!
> I agree. I think we should have a configuration variable to enable it, but the support for *how* it's actually accomplished and logged seems like something that should be in the base.
Continuing this thought... outside of base/ (in policy/protocols/conn) it might make sense to do things that actually "detect" something. I consider non-obfuscated tunnel decapsulation very similarly to normal protocol analysis. The rule of thumb is that the scripts in base/ should only be doing protocol logging and state building which is exactly what it sounds like your tunnel.bro script is doing. :)
International Computer Science Institute
(Bro) because everyone has a network
More information about the bro-dev