[Bro-Dev] Notices done as event instead of function
Seth Hall
seth at icir.org
Thu Jun 2 10:14:23 PDT 2011
I was updating the new notice scripts based on feedback from Robin and I started to change the notice pathway to be event based instead of function based because it provided an easy way for people to extend the built in notice framework with their own functionality but then I noticed this comment...
# This handler is useful for processing notices after the notice filters
# have been applied and yielded an Notice::Action.
#
# It's tempting to make the default handler do the logging and
# printing to notice_file, rather than NOTICE. I hesitate to do that,
# though, because it perhaps could slow down notification, because
# in the absence of event priorities, the event would have to wait
# behind any other already-queued events.
event notice_action(n: Notice::Info, action: Notice::Action)
{
}
I think that doing the notification and printing through an event has a lot of benefits but I see the downside too. What does everyone else think? Especially whomever wrote that comment. :)
An extra side thought too is that the current event priorities system is not the same as the priorities mentioned in the comment (i think).
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list