[Bro-Dev] active_conns

Robin Sommer robin at icir.org
Thu Mar 17 14:57:46 PDT 2011


Seth, just looking through the new conn.bro, and I have a
philosophical question about this piece:

       # This is where users can get access to the active Log record for a
       # connection so they can extend and enhance the logged data.
       global active_conns: table[conn_id] of Log;

What kind of data do you see this extended with?

I'm asking because one thing that always struck me as suboptimal is
how currently many scripts are maintaining their own session table.
E.g., the HTTP analyzer has http_sessions[conn_id] where it's stores
its stuff.

With the new record extension mechanisms we could instead do the other
extreme: no script gets its own table anymore, the additional things
just get added to a central record, like this Conn::Log. I'm not sure
whether I really want to advocate that change but I was wondering what
your (or anybodys) thoughts are.

(Note that if it were really Conn::*Log* that gets extended, this
would interfere with logging obvioysly. But we could separate the two
notions, and just have a central Connection record which everybody
extends.). 

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org


More information about the bro-dev mailing list