[Bro-Dev] "event" signature option.

Gregor Maier gregor at icir.org
Thu Aug 18 10:34:21 PDT 2011

>>   It seems to me like you'd provide the name of an event handler to the
>>   event option which would then be triggered when the signature
>>   matches.

I like that idea a lot!

> I'm fine changing that, but perhaps we should then add another keyword
> like "notice" that always triggers the signature_match event (or then
> perhaps signature_notice). That would make it clear which signatures
> are triggering a notice, vs. those which are for other stuff.

I think we should then aim for the next release, since it would break 
current signature files. So it seems appropriate to do something 
disruptive like this together with all the other disruptive changes.

> The reason for passing the string is mainly convinience: without it,
> the script layer would need a mapping id->msg for givubg the user more
> context in the notice. I'd keep that with the signature_notice event
> if we go that way, but skip for other events.

ACK. It's a nice way to "group" signatures together by supplying the 
same string message to all of them.

just my 2ct
Gregor Maier
<gregor at icir.org>  <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA

More information about the bro-dev mailing list