[Bro-Dev] Support for HTTP body extraction of originator

Seth Hall seth at icir.org
Mon Apr 22 10:11:42 PDT 2013


On Apr 22, 2013, at 11:48 AM, "Siwek, Jonathan Luke" <jsiwek at illinois.edu> wrote:

> Yeah, that might be fine.  Do you have an opinion, Seth (I thought you did when we talked about the loss of directionality before) ?


I think we had discussed creating an enums values to represent each location for files.  For example:
 HTTP::FILE_CLIENT
 HTTP::FILE_SERVER
 SMTP::FILE_ENTITY
 FTP::FILE_ENTITY
 SSL::FILE_CLIENT_CERT
 SSL::FILE_SERVER_CERT

This would give the directionality while leaving the possibility for protocols to have multiple transport mechanisms.

 PROTO::FILE_CLIENT_WRITE_METHOD1
 PROTO::FILE_CLIENT_WRITE_METHOD2
 PROTO::FILE_CLIENT_READ_METHOD2

Do you think we need to go that far or do you think that directionality alone is enough?  

I'm also not completely sure how this should be conveyed since I don't think it should be an argument to file_new since file_new is used for files read off disk or extracted from other files (child files).  Perhaps it should just be a field in the fa_file record?

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/




More information about the bro-dev mailing list