[Bro-Dev] file analysis extraction analyzer

Siwek, Jonathan Luke jsiwek at illinois.edu
Tue Jun 25 10:35:03 PDT 2013


On Jun 25, 2013, at 9:40 AM, Seth Hall <seth at icir.org> wrote:

> Jon, what do you think about adding extraction events for when an extraction begins and ends?  They could be events like this…
> 
> event file_extract_begin(f: fa_file, tag: Analyzer, args: AnalyzerArgs)
> event file_extract_end(f: fa_file, tag: Analyzer, args: AnalyzerArgs)

Generally sounds fine, but why is the tag needed?  Unless there's plans to be different kinds of file extraction analyzers that re-use those events, won't it always be the same tag?  Similarly, do you need the full args since the only relevant part of it is the file/path name?

- Jon


More information about the bro-dev mailing list