[Bro-Dev] Call for opinions on logging framework syntax problem

Gregor Maier gregor at ICSI.Berkeley.EDU
Thu Dec 1 19:57:46 PST 2011


On 12/1/11 9:27 , Robin Sommer wrote:
> So looks like we don't really have much of a better idea than using
> the attribute Bernhard originally proposed? (At least nothing short of
> removing the port type altogehter ...)

I would still opt for making the logging framework log port and protocol 
as foo.port foo.proto!

Vectors and sets of ports might be problematic but:

* It doesn't appear that vectors/sets of ports are currently used.
* How do I specify the attribute for sets/vectors of ports? For the
   whole vector at once?
* What if I want to add ports with different protocols to a set/vector
   (e.g., logging the now obsolete port_names or a set of sensitive
   ports).
* It feels really hack-y!
* Non-ASCII backends should be able to handle it fairly easily. (E.g.,
   vector of ports in a relational DB would probably be modeled as a
   n:m relationship anyways)
* Need to find a solution for ASCII output of vectors/sets of ports.
   Maybe special case them
* BTW: if you have sets, vectors in the output, then the log file must
   also have an annotation to say what type is in the vector/set, right?
* Maybe we could use two columns in general but use the 80/tcp notation
   for sets/vectors? Or we just simple use a space or some other
   character to separate the port number and the protocol.

If you think that two columns don't work, then I would still prefer 
something like "80/tcp" in ASCII. Yes it duplicates the protocol but 
it's IMHO the cleaner solution than using the attribute. One argument 
for that is that it's printed in the same way a script writer would have 
to write it if it were a constant.


cu
Gregor

-- 
Gregor Maier
<gregor at icir.org>  <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA
http://www.icir.org/gregor/


More information about the bro-dev mailing list