[Bro-Dev] eval?

Seth Hall seth at icir.org
Wed Jun 15 20:36:16 PDT 2011

On Jun 15, 2011, at 10:24 PM, Vern Paxson wrote:

> This strikes me as definitely going down the wrong path - making code less
> clear rather than more clear.

Heh, exactly why I was looking for feedback. :)

> I'm not understanding how the second is better than the first.  Indeed,
> now I have to go look at how ignore_it works to know what's going on.

Syntactically it wasn't really any better.  I guess I wasn't very clear in my email earlier.  What it was doing was clearing up a somewhat ambiguously defined area internally in the notice code by getting rid of the action_filters since the notice policy does essentially the same thing but in a different way.  Having both methods can bite you because you have to know the internal organization of the notice framework to effectively use it.  

> Here it seems if you must go this route, the right fix is either a notion
> of currying (or partial application) of functions, or to have a single
> PolicyItem for ignoring that looks up n$note in a table, and just add
> DPD::ProtocolViolation to that table.

That's exactly what I ended up doing right after I sent the email. :)

I'm almost certain I've still missed some use case for the notice framework or made some odd design decisions (I think I'm well known for those!), but I'll fix everything once the script gets reviewed more closely.

Thanks for trudging through that whole email.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the bro-dev mailing list