[Bro-Dev] alarm function
scampbell at lbl.gov
Fri Jun 3 14:09:02 PDT 2011
-----BEGIN PGP SIGNED MESSAGE-----
- From an operational perspective, I find the alarm file quite helpful (in
spite of it's redundancy).
On 6/3/11 4:01 PM, Seth Hall wrote:
> On Jun 3, 2011, at 4:42 PM, Vern Paxson wrote:
>>> Is more of a purpose to the alarm function than just printing to the alarm.log file?
>> Originally it was the interface to syslog. This has now been factored out
>> into alarm_hook, which alarm will invoke if it's present. In principle
>> we could get rid of it by replacing it with explicit calls to alarm_hook
>> (if it's defined). I don't view this as a priority, though.
> I may just remove the call to alarm then. The notice code has the notice_functions which are a set of synchronously called functions when notices are created. It's basically the same thing but completely implemented in a Bro script and you can have multiple functions instead of just one. It should open up the extension options a bit more and help prevent scripts that want to hook into the notice pipeline synchronously avoid stepping on each others toes.
> I can implement the alarm.log as a filter on the notice.log with the logging framework, but I'm not completely sure what benefits come from keeping a separate file since there is a field in the notice.log that indicates if it was alarmed on.
> Speaking of syslog, I just updated my syslog analyzer branch to be mergeable with master today. Bro can produce and consume (off the wire) syslog now. :)
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> bro-dev mailing list
> bro-dev at bro-ids.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the bro-dev