[Bro-Dev] alarm function

Scott Campbell scampbell at lbl.gov
Fri Jun 3 14:09:02 PDT 2011

Hash: SHA1

- From an operational perspective, I find the alarm file quite helpful (in
spite of it's redundancy).


On 6/3/11 4:01 PM, Seth Hall wrote:
> On Jun 3, 2011, at 4:42 PM, Vern Paxson wrote:
>>> Is more of a purpose to the alarm function than just printing to the alarm.log file?
>> Originally it was the interface to syslog.  This has now been factored out
>> into alarm_hook, which alarm will invoke if it's present.  In principle
>> we could get rid of it by replacing it with explicit calls to alarm_hook
>> (if it's defined).  I don't view this as a priority, though.
> I may just remove the call to alarm then.  The notice code has the notice_functions which are a set of synchronously called functions when notices are created.  It's basically the same thing but completely implemented in a Bro script and you can have multiple functions instead of just one.  It should open up the extension options a bit more and help prevent scripts that want to hook into the notice pipeline synchronously avoid stepping on each others toes.
> I can implement the alarm.log as a filter on the notice.log with the logging framework, but I'm not completely sure what benefits come from keeping a separate file since there is a field in the notice.log that indicates if it was alarmed on.
> Speaking of syslog, I just updated my syslog analyzer branch to be mergeable with master today.  Bro can produce and consume (off the wire) syslog now. :)
>   .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro-ids.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the bro-dev mailing list