[Bro-Dev] Notices done as event instead of function
Seth Hall
seth at icir.org
Thu Jun 2 11:03:06 PDT 2011
On Jun 2, 2011, at 1:49 PM, Vern Paxson wrote:
> The reason is because one of the notice actions might be some form
> of "drop connectivity", and for
> automated malware the msec's matter regarding how quickly the drop goes in.
Ohhh. That's a good point which I hadn't even considered.
> That said, a better way of dealing with this concern would be to have
> a solid notion of event prioritization.
What about a new keyword to indicate that the event should be placed at the top of the event queue?
immediate_event notice_action(n, ACTION_DROP);
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list