[Bro-Dev] &log attribute
Seth Hall
seth at icir.org
Tue Mar 22 08:14:53 PDT 2011
On Mar 22, 2011, at 10:57 AM, Jonathan Siwek wrote:
>> Is it just a problem because it requires more verbosity in the case that all fields are meant to be logged (i.e. script writer might forget to add the &log attribute) ?
Nah, I don't think that needing the &log attribute explicitly needed for each field is a problem. I think it's better than many alternatives.
> Or is there an example you can give to explain what you mean?
It's a non-reusable attribute. It only applies in this one scenario, but I suppose the same can also be said for most of the file based attributes like &raw_output. I guess I don't have a really good example and the attribute really does make for clearer intentions when writing scripts compared to the current model of the two separate records.
It would be nice for documentation generation too because there isn't any question about what fields/records are intended for the logging framework. In the existing model, there would need to be some sort of indicator for a record to indicate that the record is intended for the logging framework because you don't want to guess based on the type name.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list