[Bro-Dev] Call for opinions on logging framework syntax problem
gregor at ICSI.Berkeley.EDU
Thu Dec 1 19:57:46 PST 2011
On 12/1/11 9:27 , Robin Sommer wrote:
> So looks like we don't really have much of a better idea than using
> the attribute Bernhard originally proposed? (At least nothing short of
> removing the port type altogehter ...)
I would still opt for making the logging framework log port and protocol
as foo.port foo.proto!
Vectors and sets of ports might be problematic but:
* It doesn't appear that vectors/sets of ports are currently used.
* How do I specify the attribute for sets/vectors of ports? For the
whole vector at once?
* What if I want to add ports with different protocols to a set/vector
(e.g., logging the now obsolete port_names or a set of sensitive
* It feels really hack-y!
* Non-ASCII backends should be able to handle it fairly easily. (E.g.,
vector of ports in a relational DB would probably be modeled as a
n:m relationship anyways)
* Need to find a solution for ASCII output of vectors/sets of ports.
Maybe special case them
* BTW: if you have sets, vectors in the output, then the log file must
also have an annotation to say what type is in the vector/set, right?
* Maybe we could use two columns in general but use the 80/tcp notation
for sets/vectors? Or we just simple use a space or some other
character to separate the port number and the protocol.
If you think that two columns don't work, then I would still prefer
something like "80/tcp" in ASCII. Yes it duplicates the protocol but
it's IMHO the cleaner solution than using the attribute. One argument
for that is that it's printed in the same way a script writer would have
to write it if it were a constant.
<gregor at icir.org> <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA
More information about the bro-dev