[Bro-Dev] Call for opinions on logging framework syntax problem

Robin Sommer robin at icir.org
Fri Dec 2 08:17:40 PST 2011


On Thu, Dec 01, 2011 at 19:57 -0800, you wrote:

> * It feels really hack-y!

Maybe, but all the two-column solutions even more!

> If you think that two columns don't work, then I would still prefer  
> something like "80/tcp" in ASCII. Yes it duplicates the protocol but  
> it's IMHO the cleaner solution than using the attribute. One argument  
> for that is that it's printed in the same way a script writer would have  
> to write it if it were a constant.

The argument against that is that now everybody reading the logs needs
to parse the ports (rather than being able to just read integers).

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org


More information about the bro-dev mailing list