[Bro-Dev] Support for HTTP body extraction of originator
Siwek, Jonathan Luke
jsiwek at illinois.edu
Mon Apr 22 10:43:11 PDT 2013
> This would give the directionality while leaving the possibility for protocols to have multiple transport mechanisms.
>
> PROTO::FILE_CLIENT_WRITE_METHOD1
> PROTO::FILE_CLIENT_WRITE_METHOD2
> PROTO::FILE_CLIENT_READ_METHOD2
>
> Do you think we need to go that far or do you think that directionality alone is enough?
That case seems maybe like overkill because the mechanism and other context is typically available in c$proto which people can inspect in the FAF events, but the part that's missing is a consistent and protocol independent way of determining the direction that the file is going. As long as they have that, any other context that's available at the time of the FAF event becomes usable.
> Perhaps it should just be a field in the fa_file record?
Seems fine for now. Will add unless there's other thoughts.
- Jon
More information about the bro-dev
mailing list