[Bro-Dev] Notices done as event instead of function

Vern Paxson vern at icir.org
Thu Jun 2 10:49:47 PDT 2011


> What kind of delay or slow down are we talking here? Seconds or
> minutes? I can't imagine it being more than a minute, which would be
> the least of my worries as long as the time stamp in the notice was
> accurate.

I'm pretty sure I'm the one who wrote the comment, and the concern is
delays of 100s of msec, not even seconds.  The reason is because one of
the notice actions might be some form of "drop connectivity", and for
automated malware the msec's matter regarding how quickly the drop goes in.

That said, a better way of dealing with this concern would be to have
a solid notion of event prioritization.

		Vern


More information about the bro-dev mailing list