[Bro-Dev] #640: BiFs to enable or disable events.
Bro Tracker
bro at tracker.bro-ids.org
Wed Oct 12 07:00:21 PDT 2011
#640: BiFs to enable or disable events.
------------------------------+----------------------
Reporter: seth | Owner:
Type: Feature Request | Status: new
Priority: Normal | Milestone: Bro1.7
Component: Bro | Version:
Resolution: | Keywords: language
------------------------------+----------------------
Description changed by seth:
Old description:
> We need BiFs to enable/disable event handlers. The existing
> enable_event_group and disable_event_group functions push too much into
> the core and are too rigid.
>
> Even better would be if we had some way to place limited preconditions on
> event handlers. I would really like to be able to do this::
>
> {{{
> redef Event::policy += {
> ["prevent-port-53-dns-requests"] = [$if="port 53", $ev=dns_request,
> $action=Event::DISABLE],
> ["no-dns-responses"] = [$ev=dns_response, $action=Event::DISABLE],
> ["
> };
> }}}
>
> I'm trying to follow the general API style that we've been following with
> other frameworks but i'm using that a quasi-bpf filter in place of a
> predicate since this would need to be extremely fast if it were to offer
> any benefit but there is probably lots of room for further discussion
> here. The other thing I don't like is that the way I defined it,
> Event::policy would be a const and only definable at startup. It would
> be very helpful to be able to write Bro scripts that can tune this at
> runtime.
>
> I think ultimately this is two tickets. One for creating the correct
> BiFs after figuring out all of the requirements and then creating a
> framework overtop of the BiFs to make it easier to use.
New description:
We need BiFs to enable/disable event handlers. The existing
enable_event_group and disable_event_group functions push too much into
the core and are too rigid.
Even better would be if we had some way to place limited preconditions on
event handlers. I would really like to be able to do this::
{{{
redef Event::policy += {
["prevent-port-53-dns-requests"] = [$if="port 53", $ev=dns_request,
$action=Event::DISABLE],
["no-dns-responses"] = [$ev=dns_response, $action=Event::DISABLE],
};
}}}
I'm trying to follow the general API style that we've been following with
other frameworks but i'm using that a quasi-bpf filter in place of a
predicate since this would need to be extremely fast if it were to offer
any benefit but there is probably lots of room for further discussion
here. The other thing I don't like is that the way I defined it,
Event::policy would be a const and only definable at startup. It would be
very helpful to be able to write Bro scripts that can tune this at
runtime.
I think ultimately this is two tickets. One for creating the correct BiFs
after figuring out all of the requirements and then creating a framework
overtop of the BiFs to make it easier to use.
--
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/640#comment:1>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list