[Bro-Dev] notice tags?
Gregor Maier
gregor at icir.org
Fri Jun 3 08:35:41 PDT 2011
Do we still need the tags once we have unique connids for grepping?
On 6/2/11 10:33 , Seth Hall wrote:
>
> On Jun 2, 2011, at 1:25 PM, Vern Paxson wrote:
>
>>> Are notice tags used by anyone?
>>
>> They are handy for grepping. The tag also appears in the conn file
>> (as an $addl element), so you can link the two together.
>
> Heh, it actually doesn't right now. :)
>
> I'll add that back in (notice id in conn.log), I can see it being useful in some cases. With the record extension stuff, I think I'll be implementing it as a separate field just for notices and it will probably be implemented in the notice script itself. I never liked that $addl field, it was always hard to figure out what it was for.
>
> Should there be a separate and built in way to generate unique ids? What bothered me about the tag implementation in the notice script is that it's a bit difficult to figure what's going on due to dealing with non-determinism of the tags because of the data it bases the tags on. If we had a BiF that just generated unique IDs, we could build all of the determinism in there and wouldn't have to worry about it anymore where we need unique IDs.
>
> Thanks,
> .Seth
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro-ids.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
>
--
Gregor Maier
<gregor at icir.org> <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA
http://www.icir.org/gregor/
More information about the bro-dev
mailing list