[Bro-Dev] Notices and alarms (Re: [Bro-Commits] [git/bro] topic/robin/pp-alarms: A new notice script that pretty-prints alarms in the summary email. (73d5643))

[Robin Sommer]

On Wed, Oct 26, 2011 at 16:30 -0400, you wrote:

> Eventually (maybe before the final?) I'd like to have a page in the
> auto-generated docs with all of the Notice::Type values and the

That would be nice. Can Broxygen already extract that information?

> > I'm sure you have thought about this: what's the reason for not using
> > ACTION_ALARM as the default action, now that there aren't actually
> > that many notices generated anymore?

> In my mind that violates the "Bro is policy neutral" rule (or whatever
> I've seen in slides).

That argument usually applies to the event engine. For scripts,
considering policy is hard to avoid (and as you say, by default, Bro
1.x did turn everything into an alarm). 

>  That said, I think that shipping with some notices added to the
>  Notice::emailed_types and Notice::alarmed_type variables would in
>  local.bro would be cool since I see local.bro as our chance to give a
>  suggested configuration.

Or we could provide an option "default_alarm" or so that enable
ACTION_ALARM as the default, and then put that option into local.bro
for everybody to tune. The question would then be what to default to.
I'm leaning towards alarming by default, in the spirit of showing off
what Bro can do (and showing that *is* doing something).

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org