[Bro-Dev] notice tags?

Seth Hall seth at icir.org
Fri Jun 3 11:01:41 PDT 2011


On Jun 3, 2011, at 1:49 PM, Vern Paxson wrote:

> or if a given notice might have a tag associated
> with multiple connections (I don't think we do this presently, but in
> principle it would make sense).


I did this in the new policy scripts yesterday.  It makes it much easier to search for connections with Notices if the notice id is included in the conn log.  We could implement this modularly though so that the notices (and the whole notice column itself) is only included if the script that implements that is loaded.  It should get us the best of both depending on what you need. :)

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/




More information about the bro-dev mailing list