[Bro-Dev] #914: topic/seth/intel-framework
Bro Tracker
bro at tracker.bro-ids.org
Wed Oct 31 19:17:35 PDT 2012
#914: topic/seth/intel-framework
----------------------+------------------------
Reporter: seth | Owner: seth
Type: Problem | Status: assigned
Priority: Normal | Milestone: Bro2.2
Component: Bro | Version: git/master
Resolution: | Keywords:
----------------------+------------------------
Comment (by seth):
> - why not load the various seen() handlers in base/* rather than
policy/*?
> Isn't part of the beauty here that it will just find stuff once intel
data
> has been loaded?
Sending data to the Intel::seen function has implicit overhead and I
wanted it to be optional if someone chooses to send data to it. My
personal rule is that loading a framework from base/ shouldn't have any
implicit overhead (other than loading the code into memory). We probably
should go ahead and add that policy load into the local.bro script though
since that would give back the magic. :)
> - cluster.bro: {{{initial_sync}}} never gets reset; that doesn't seem to
> work if I restart everything except the manager, right?
Hm, that variable isn't in the code anymore (it was old).
> - {{{match_no_items}}} is not a very intuitive name imo :)
It's internal to the framework for doing minimal data matches. Users
should never know about it.
> - didn't you have some initial documentation as well, or do I
misremember
> that?
doc/intel.rst
> - Should scripts/policy/protocols/http/detect-intel.bro looks go now?
> Likewise, there are old tests in {{{scripts/base/frameworks/intel/}}}
that
> use {{{Intel::matcher}}}
Did you update? I removed all of those tests.
I think you may be trying to merge an older version of my code.
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/914#comment:6>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list