[Bro-Dev] #640: BiFs to enable or disable events.

Bro Tracker bro at tracker.bro-ids.org
Wed Oct 12 06:55:12 PDT 2011

#640: BiFs to enable or disable events.
 Reporter:  seth             |      Owner:
     Type:  Feature Request  |     Status:  new
 Priority:  Normal           |  Milestone:  Bro1.7
Component:  Bro              |    Version:
 Keywords:  language         |
 We need BiFs to enable/disable event handlers.  The existing
 enable_event_group and disable_event_group functions push too much into
 the core and are too rigid.

 Even better would be if we had some way to place limited preconditions on
 event handlers.  I would really like to be able to do this::

 redef Event::policy += {
     ["prevent-port-53-dns-requests"] = [$if="port 53", $ev=dns_request,
     ["no-dns-responses"] = [$ev=dns_response, $action=Event::DISABLE],

 I'm trying to follow the general API style that we've been following with
 other frameworks but i'm using that a quasi-bpf filter in place of a
 predicate since this would need to be extremely fast if it were to offer
 any benefit but there is probably lots of room for further discussion
 here.  The other thing I don't like is that the way I defined it,
 Event::policy would be a const and only definable at startup.  It would be
 very helpful to be able to write Bro scripts that can tune this at

 I think ultimately this is two tickets.  One for creating the correct BiFs
 after figuring out all of the requirements and then creating a framework
 overtop of the BiFs to make it easier to use.

Ticket URL: <http://tracker.bro-ids.org/bro/ticket/640>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list