[Bro-Dev] Support for HTTP body extraction of originator
Seth Hall
seth at icir.org
Mon Apr 22 10:11:42 PDT 2013
On Apr 22, 2013, at 11:48 AM, "Siwek, Jonathan Luke" <jsiwek at illinois.edu> wrote:
> Yeah, that might be fine. Do you have an opinion, Seth (I thought you did when we talked about the loss of directionality before) ?
I think we had discussed creating an enums values to represent each location for files. For example:
HTTP::FILE_CLIENT
HTTP::FILE_SERVER
SMTP::FILE_ENTITY
FTP::FILE_ENTITY
SSL::FILE_CLIENT_CERT
SSL::FILE_SERVER_CERT
This would give the directionality while leaving the possibility for protocols to have multiple transport mechanisms.
PROTO::FILE_CLIENT_WRITE_METHOD1
PROTO::FILE_CLIENT_WRITE_METHOD2
PROTO::FILE_CLIENT_READ_METHOD2
Do you think we need to go that far or do you think that directionality alone is enough?
I'm also not completely sure how this should be conveyed since I don't think it should be an argument to file_new since file_new is used for files read off disk or extracted from other files (child files). Perhaps it should just be a field in the fa_file record?
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the bro-dev
mailing list