[Bro-Dev] #640: BiFs to enable or disable events.

[Bro Tracker]

#640: BiFs to enable or disable events.
------------------------------+----------------------
  Reporter:  seth             |      Owner:
      Type:  Feature Request  |     Status:  new
  Priority:  Normal           |  Milestone:  Bro1.7
 Component:  Bro              |    Version:
Resolution:                   |   Keywords:  language
------------------------------+----------------------
Description changed by seth:

Old description:

> We need BiFs to enable/disable event handlers.  The existing
> enable_event_group and disable_event_group functions push too much into
> the core and are too rigid.
>
> Even better would be if we had some way to place limited preconditions on
> event handlers.  I would really like to be able to do this::
>
> {{{
> redef Event::policy += {
>     ["prevent-port-53-dns-requests"] = [$if="port 53", $ev=dns_request,
> $action=Event::DISABLE],
>     ["no-dns-responses"] = [$ev=dns_response, $action=Event::DISABLE],
>     ["
> };
> }}}
>
> I'm trying to follow the general API style that we've been following with
> other frameworks but i'm using that a quasi-bpf filter in place of a
> predicate since this would need to be extremely fast if it were to offer
> any benefit but there is probably lots of room for further discussion
> here.  The other thing I don't like is that the way I defined it,
> Event::policy would be a const and only definable at startup.  It would
> be very helpful to be able to write Bro scripts that can tune this at
> runtime.
>
> I think ultimately this is two tickets.  One for creating the correct
> BiFs after figuring out all of the requirements and then creating a
> framework overtop of the BiFs to make it easier to use.

New description:

 We need BiFs to enable/disable event handlers.  The existing
 enable_event_group and disable_event_group functions push too much into
 the core and are too rigid.

 Even better would be if we had some way to place limited preconditions on
 event handlers.  I would really like to be able to do this::

 {{{
 redef Event::policy += {
     ["prevent-port-53-dns-requests"] = [$if="port 53", $ev=dns_request,
 $action=Event::DISABLE],
     ["no-dns-responses"] = [$ev=dns_response, $action=Event::DISABLE],
 };
 }}}

 I'm trying to follow the general API style that we've been following with
 other frameworks but i'm using that a quasi-bpf filter in place of a
 predicate since this would need to be extremely fast if it were to offer
 any benefit but there is probably lots of room for further discussion
 here.  The other thing I don't like is that the way I defined it,
 Event::policy would be a const and only definable at startup.  It would be
 very helpful to be able to write Bro scripts that can tune this at
 runtime.

 I think ultimately this is two tickets.  One for creating the correct BiFs
 after figuring out all of the requirements and then creating a framework
 overtop of the BiFs to make it easier to use.

--

-- 
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/640#comment:1>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker