[Bro-Dev] Notices done as event instead of function
Seth Hall
seth at icir.org
Thu Jun 2 10:54:27 PDT 2011
On Jun 2, 2011, at 1:44 PM, Will wrote:
> Personally, I like where you are going with making it easier to extend
> the built in framework. There have been multiple occasions where I
> have wanted to generate multiple custom email notices from 1 event.
I have frequently run into very similar trouble when working with the current notice framework.
> What kind of delay or slow down are we talking here? Seconds or
> minutes? I can't imagine it being more than a minute, which would be
> the least of my worries as long as the time stamp in the notice was
> accurate.
Hopefully less than seconds even but there's no way to know what your event queue will look at any specific moment.
> I didn't write the comment, but figured if you opened it up to
> "everyone"... thanks for letting me share. :)
I'll count that as one vote for flexibility over immediate immediacy (since in most cases it would still be very quick). :)
Perhaps we could implement the notice pathway as events and then make a way to inject certain events higher in the event queue if it turns out to be problematic for anyone in the future.
Thanks,
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list