[Bro-Dev] notice tags?

Gregor Maier gregor at icir.org
Fri Jun 3 08:35:41 PDT 2011


Do we still need the tags once we have unique connids for grepping?

On 6/2/11 10:33 , Seth Hall wrote:
> 
> On Jun 2, 2011, at 1:25 PM, Vern Paxson wrote:
> 
>>> Are notice tags used by anyone?
>>
>> They are handy for grepping.  The tag also appears in the conn file
>> (as an $addl element), so you can link the two together.
> 
> Heh, it actually doesn't right now. :)   
> 
> I'll add that back in (notice id in conn.log), I can see it being useful in some cases.  With the record extension stuff, I think I'll be implementing it as a separate field just for notices and it will probably be implemented in the notice script itself.  I never liked that $addl field, it was always hard to figure out what it was for.
> 
> Should there be a separate and built in way to generate unique ids?  What bothered me about the tag implementation in the notice script is that it's a bit difficult to figure what's going on due to dealing with non-determinism of the tags because of the data it bases the tags on.  If we had a BiF that just generated unique IDs, we could build all of the determinism in there and wouldn't have to worry about it anymore where we need unique IDs.
> 
> Thanks,
>  .Seth
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro-ids.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
> 


-- 
Gregor Maier
<gregor at icir.org>  <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA
http://www.icir.org/gregor/


More information about the bro-dev mailing list