[Bro-Dev] notice tags?

Vern Paxson vern at icir.org
Fri Jun 3 10:49:50 PDT 2011


> > Do we still need the tags once we have unique connids for grepping?
> 
> It might be worthwhile still.  It was interesting to me to see all of the notices attached to a connection.

Seems you get that already if the notice just includes the connid.  Where
it would come up short is if you *don't* want all the notices (since there
are a zillion boring ones), or if a given notice might have a tag associated
with multiple connections (I don't think we do this presently, but in
principle it would make sense).

		Vern


More information about the bro-dev mailing list