[Bro-Dev] Support for HTTP body extraction of originator
Siwek, Jonathan Luke
jsiwek at illinois.edu
Mon Apr 22 08:48:17 PDT 2013
On Apr 22, 2013, at 10:19 AM, Matthias Vallentin <vallentin at icir.org>
wrote:
>> Do I need to add an 'is_orig' flag to at least the 'file_new' event?
>
> I don't know the internals of the FA framework, I just recall a record
> fa_file which appears to be what the Info record is to the logging
> framework.
fa_file is more analogous to the connection record now.
> Could it make sense to put the directionality in there for
> more flexibility? Then users can access this information in any event.
Yeah, that might be fine. Do you have an opinion, Seth (I thought you did when we talked about the loss of directionality before) ?
- Jon
More information about the bro-dev
mailing list