[Bro-Dev] Notices done as event instead of function

Will baxterw3232 at gmail.com
Thu Jun 2 10:44:56 PDT 2011 

On Thu, Jun 2, 2011 at 1:14 PM, Seth Hall <seth at icir.org> wrote:
> I was updating the new notice scripts based on feedback from Robin and I started to change the notice pathway to be event based instead of function based because it provided an easy way for people to extend the built in notice framework with their own functionality but then I noticed this comment...

Personally, I like where you are going with making it easier to extend
the built in framework. There have been multiple occasions where I
have wanted to generate multiple custom email notices from 1 event.
For Example, if event occurs, log it and 'notice' as usual, but if it
is a notice contains an old version of 'Java' also email the help desk
at a different email address than the one that broctl knows to use. I
would also want to create a custom message format. This was easily
accomplished with a cron'd shell script that scrapes mail.log every
ten minutes, checks a static file to see if the host was already
alerted on, if not, add host to the file and send the email
identifying the time, host and version of software that needs to be
patched. I have figured there were ways to accomplish this in the
current release of bro, but took the simplest route.

>
> # This handler is useful for processing notices after the notice filters
> # have been applied and yielded an Notice::Action.
> #
> # It's tempting to make the default handler do the logging and
> # printing to notice_file, rather than NOTICE.  I hesitate to do that,
> # though, because it perhaps could slow down notification, because
> # in the absence of event priorities, the event would have to wait
> # behind any other already-queued events.
> event notice_action(n: Notice::Info, action: Notice::Action)
>        {
>        }
>
> I think that doing the notification and printing through an event has a lot of benefits but I see the downside too.  What does everyone else think?  Especially whomever wrote that comment. :)

What kind of delay or slow down are we talking here? Seconds or
minutes? I can't imagine it being more than a minute, which would be
the least of my worries as long as the time stamp in the notice was
accurate.

I didn't write the comment, but figured if you opened it up to
"everyone"... thanks for letting me share. :)

Will
>
> An extra side thought too is that the current event priorities system is not the same as the priorities mentioned in the comment (i think).
>
>  .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro-ids.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
>

More information about the bro-dev mailing list