[Bro-Dev] notice actions
Seth Hall
seth at icir.org
Tue Jul 19 13:35:20 PDT 2011
I'm trying to come up with a way to add the code to make it possible to determine which notice policy item added an action to a notice and I'm running into some trouble.
My initial thought was to make the set of notices actions turn into a table yielding a set of counts. Like this...
## The actions that are to be applied to this notice. The set[count]
## is to indicate which :bro:id:`Notice::policy` items
## triggered the action being added to the notice.
actions: table[Notice::Action] of set[count] &log &optional;
The problem with this is that tables aren't loggable. I also though about using a multiply keyed index for the set, but that doesn't work either because I need to be able to check for action membership in each of the action plugins (that actually does the action). I'm just not coming up with any good solutions unfortunately and I'm getting the feeling we're going to have to hack this in.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list