[Bro-Dev] #640: BiFs to enable or disable events.
Bro Tracker
bro at tracker.bro-ids.org
Wed Oct 12 06:55:12 PDT 2011
#640: BiFs to enable or disable events.
-----------------------------+--------------------
Reporter: seth | Owner:
Type: Feature Request | Status: new
Priority: Normal | Milestone: Bro1.7
Component: Bro | Version:
Keywords: language |
-----------------------------+--------------------
We need BiFs to enable/disable event handlers. The existing
enable_event_group and disable_event_group functions push too much into
the core and are too rigid.
Even better would be if we had some way to place limited preconditions on
event handlers. I would really like to be able to do this::
{{{
redef Event::policy += {
["prevent-port-53-dns-requests"] = [$if="port 53", $ev=dns_request,
$action=Event::DISABLE],
["no-dns-responses"] = [$ev=dns_response, $action=Event::DISABLE],
["
};
}}}
I'm trying to follow the general API style that we've been following with
other frameworks but i'm using that a quasi-bpf filter in place of a
predicate since this would need to be extremely fast if it were to offer
any benefit but there is probably lots of room for further discussion
here. The other thing I don't like is that the way I defined it,
Event::policy would be a const and only definable at startup. It would be
very helpful to be able to write Bro scripts that can tune this at
runtime.
I think ultimately this is two tickets. One for creating the correct BiFs
after figuring out all of the requirements and then creating a framework
overtop of the BiFs to make it easier to use.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/640>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list