[Bro-Dev] Autodoc: how to link to another script?

Seth Hall seth at icir.org
Wed Aug 10 13:29:10 PDT 2011


On Aug 10, 2011, at 4:22 PM, Seth Hall wrote:

> On Aug 10, 2011, at 4:13 PM, Gregor Maier wrote:
> 
>> sounds good to me. However, I wouldn't put it in base. I think the default should be to not decapsulate tunnels!
> 
> I agree.  I think we should have a configuration variable to enable it, but the support for *how* it's actually accomplished and logged seems like something that should be in the base.


Continuing this thought... outside of base/ (in policy/protocols/conn) it might make sense to do things that actually "detect" something.  I consider non-obfuscated tunnel decapsulation very similarly to normal protocol analysis.  The rule of thumb is that the scripts in base/ should only be doing protocol logging and state building which is exactly what it sounds like your tunnel.bro script is doing. :)

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/




More information about the bro-dev mailing list