[Bro-Dev] notice tags?

Seth Hall seth at icir.org
Thu Jun 2 10:58:29 PDT 2011


On Jun 2, 2011, at 1:47 PM, Vern Paxson wrote:

>> If we had a random() BiF I think we could do it pretty easily in scripting land because we could just fmt() the output from the random() function and trim it to a certain length.
> 
> I'm not sure that's as good.  We either need long tags, or have to start
> worrying about collisions.  (Though if we had formatting to something like
> radix-64, then we could probably get both short tags and almost no chance
> of collision.)

The random() data would only be used for a notice prefix.  I think we'd only generate the random ID at init time and then use an incrementing counter as a postfix for the full ID of each notice after that which is how it's done now.  The only chance we'd have for collisions would be in a cluster context between nodes generating notices.  Each node would never generate a conflict unless it managed to overflow a 64-bit int. :)

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/




More information about the bro-dev mailing list