[Bro-Dev] Call for opinions on logging framework syntax problem

Bernhard Amann bernhard at ICSI.Berkeley.EDU
Tue Nov 29 16:53:21 PST 2011


Hello,

I am currently working on the input framework for bro -- which allows reading previously written log files back into bro -- and have encountered a little problem when reading port fields. There are several different methods to solve this problem and I wanted to get a little bit of feedback before implementing any of these solutions.

First to describe the problem...
When the logging framework is used to log port information, the information does not include the protocol -- this is usually stored in a second column.
Hence, a logfile storing port information will usually look something like this

#fields host_a host_p proto
12.12.12.12 80 tcp

The input framework uses record types to define, what fields should be read from a previously written logfile.
To read the fields, one could e.g. define a record like this:

type Values: record {
	host_a: addr;
	host_p: port;
} 

The problem with this approach is, that now host_p does not contain the protocol of the port, because it is stored in a different, unrelated column.
Hence, the input framework needs a (preferably syntactically nice, easy to understand) way to identify the column that is used to store the port information.

The easiest solution would be just to assume a fixed column name (e.g. host_p_port if the port is stored in host_p), but this is probably not a very good idea for a number of reasons.

The nicest way we could think of at the moment is to use annotations for this; for our example one could e.g. use

type Values: record {
	host_a: addr;
	host_p: port &protocol_column=proto;
} 

This has the disadvantage of introducing a new, very specialized annotation that is only used for this one case.

Does anyone else have any ideas / suggestions?

Bernhard


More information about the bro-dev mailing list