[Bro-Dev] alarm function
Seth Hall
seth at icir.org
Fri Jun 3 14:01:40 PDT 2011
On Jun 3, 2011, at 4:42 PM, Vern Paxson wrote:
>> Is more of a purpose to the alarm function than just printing to the alarm.log file?
>
> Originally it was the interface to syslog. This has now been factored out
> into alarm_hook, which alarm will invoke if it's present. In principle
> we could get rid of it by replacing it with explicit calls to alarm_hook
> (if it's defined). I don't view this as a priority, though.
I may just remove the call to alarm then. The notice code has the notice_functions which are a set of synchronously called functions when notices are created. It's basically the same thing but completely implemented in a Bro script and you can have multiple functions instead of just one. It should open up the extension options a bit more and help prevent scripts that want to hook into the notice pipeline synchronously avoid stepping on each others toes.
I can implement the alarm.log as a filter on the notice.log with the logging framework, but I'm not completely sure what benefits come from keeping a separate file since there is a field in the notice.log that indicates if it was alarmed on.
Speaking of syslog, I just updated my syslog analyzer branch to be mergeable with master today. Bro can produce and consume (off the wire) syslog now. :)
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list