[Bro-Dev] ElasticSearch problem (Re: [Bro-Commits] [git/bro] master: Merge remote-tracking branch 'origin/fastpath' (c66c6d7))

Robin Sommer robin at icir.org
Fri Jul 27 15:09:47 PDT 2012

On Fri, Jul 27, 2012 at 21:54 +0000, you wrote:

> Another idea: testing/external/scripts/diff-all has a quick hack (that
> I'm not really sure works right still) for getting around the case
> where GeoIP support isn't enabled and shows up as a reporter message.
> Maybe that can be updated to also ignore lines regarding
> ElasticSearch.

I guess it could, but that's not really much nicer ... I can see
eventuallu having more of these optional scripts that do something
that might cause artefacts depending on config/capabilities.

How about as a general policy we say that any script that may cause
trouble when simply loaded on top of a standard configuration must
have a way to be disabled. We then add a script
disable-problematic-analyses.bro (or so :) to the external tests, and
this script sets all those relevant options.

(Hmm ... We might be able to achieve the same effect with some
@unloads, but not sure I want to rely on that odd feature ...)

I can think of one more alternative: split test-all-policy.bro into
two parts, all the scripts that are fine to load with the external
tests and those which aren't. 


Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the bro-dev mailing list