[Bro-Dev] eval?

Seth Hall seth at icir.org
Wed Jun 15 12:15:14 PDT 2011


I imagine that an eval BiF would be pretty easy to write and it would make it possible for me to do what I'm working on now.  I'll write a bit about what I'm working on to justify an eval BiF.  :)

I'm reworking most of the notice framework to make it simpler and make it's features more well defined, mostly by removed the notice action filters.  The notice action filters are confusing because they are applied after the notice policy but that's effectively creating two different ways for actions to be applied to notices but it just makes things confusing in the end.  I think the notice action filters were originally created as a shorthand way to provide broad brush strokes to the notice policy by directing entire notice types toward certain actions.

If we had an eval function, I could essentially replicate this functionality in the notice policy which would keep everything much clearer.  As things stand now (before I do a commit), here's how it looks to filter out entire notice types:

redef Notice::action_filters += {
        [[DPD::ProtocolViolation]] = Notice::ignore_action,
};

I would like to do something like this...

redef Notice::policy += { 
	Notice::ignore_it(DPD::ProtocolViolation),
};

The problem is that to implement the ignore_it function requires me to dynamically implement the predicate for the notice policy which Bro doesn't currently like.  I tried implementing it similarly to this:

function ignore_it(nt: Notice::Type): Notice::PolicyItem
	{
	return [$result=ACTION_IGNORE,
	        $pred(n: Notice::Info) = { return n$note == nt; },
	        $priority=5];
	}

I think the problem comes up when Bro is interpreting "n$note == nt".  It isn't pulling the values from the correct namespace.  If I could call an eval function, I could implement it this way:

function ignore_it(nt: Notice::Type): Notice::PolicyItem
	{
	eval(cat("return [$result=ACTION_IGNORE, $pred(n: Notice::Info) = { return n$note == ", 
		nt,
		"; }, $priority=5]");
	}

I think it would be fairly reasonable for eval to only work at init time too.  It scares me to think of eval being usable at runtime.  Sorry for the long email, but any thoughts?  

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/




More information about the bro-dev mailing list