[Bro-Dev] notice tags?

Seth Hall seth at icir.org
Thu Jun 2 10:33:33 PDT 2011


On Jun 2, 2011, at 1:25 PM, Vern Paxson wrote:

>> Are notice tags used by anyone?
> 
> They are handy for grepping.  The tag also appears in the conn file
> (as an $addl element), so you can link the two together.

Heh, it actually doesn't right now. :)   

I'll add that back in (notice id in conn.log), I can see it being useful in some cases.  With the record extension stuff, I think I'll be implementing it as a separate field just for notices and it will probably be implemented in the notice script itself.  I never liked that $addl field, it was always hard to figure out what it was for.

Should there be a separate and built in way to generate unique ids?  What bothered me about the tag implementation in the notice script is that it's a bit difficult to figure what's going on due to dealing with non-determinism of the tags because of the data it bases the tags on.  If we had a BiF that just generated unique IDs, we could build all of the determinism in there and wouldn't have to worry about it anymore where we need unique IDs.

Thanks,
 .Seth


More information about the bro-dev mailing list