[Bro-Dev] notice tags?
Seth Hall
seth at icir.org
Thu Jun 2 10:58:29 PDT 2011
On Jun 2, 2011, at 1:47 PM, Vern Paxson wrote:
>> If we had a random() BiF I think we could do it pretty easily in scripting land because we could just fmt() the output from the random() function and trim it to a certain length.
>
> I'm not sure that's as good. We either need long tags, or have to start
> worrying about collisions. (Though if we had formatting to something like
> radix-64, then we could probably get both short tags and almost no chance
> of collision.)
The random() data would only be used for a notice prefix. I think we'd only generate the random ID at init time and then use an incrementing counter as a postfix for the full ID of each notice after that which is how it's done now. The only chance we'd have for collisions would be in a cluster context between nodes generating notices. Each node would never generate a conflict unless it managed to overflow a 64-bit int. :)
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list