[Bro-Dev] "event" signature option.
Robin Sommer
robin at icir.org
Thu Aug 18 08:12:25 PDT 2011
On Thu, Aug 18, 2011 at 10:43 -0400, you wrote:
> It seems to me like you'd provide the name of an event handler to the
> event option which would then be triggered when the signature
> matches.
Yeah, that would be the right way to do it. The current scheme was
driven by the Snort-to-Bro conversion we were doing back then when
other signatures uses weren't really on the radar.
I'm fine changing that, but perhaps we should then add another keyword
like "notice" that always triggers the signature_match event (or then
perhaps signature_notice). That would make it clear which signatures
are triggering a notice, vs. those which are for other stuff.
The reason for passing the string is mainly convinience: without it,
the script layer would need a mapping id->msg for givubg the user more
context in the notice. I'd keep that with the signature_notice event
if we go that way, but skip for other events.
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the bro-dev
mailing list