[Bro-Dev] Looking on feedback on PACF/reaction framework
Vlad Grigorescu
vlad at grigorescu.org
Thu Jun 19 12:21:42 PDT 2014
This lines up pretty well with the features that I'd want from this. I
think the API is at a good level to be usable yet customizable.
A few comments I had:
- I believe Rule$target should be of type Target and not TargetType (which
is undefined).
- Some other options to consider for EntityType:
* Subnet
* MAC address
* User? (I believe some devices allow filtering based on user, if they
authenticate via VPN, 802.1X or something similar)
- Should Rule have both orig and resp Entity fields? i.e. I could see a use
case for filtering traffic from an IP, to it, or both.
- More generally, should Rule have an optional BPF? Perhaps this is one of
the use cases of arg_str.
I've also been considering a feature that would allow a clean shutdown of a
worker node. I'm not sure if this would be even remotely possible, or if
it'd be a job for the PACF, but what I envision is Bro reaching out to the
hardware frontend, removing one of the active output ports from the load
balancing, and somehow transferring state on the in-progress connections to
the other workers. The reverse would also be nice (adding a worker node),
though there'd be more state to transfer.
--Vlad
On Thu, Jun 19, 2014 at 2:41 PM, Robin Sommer <robin at icir.org> wrote:
>
> I have revised the proposed API a bit, see
>
> http://www.bro.org/development/projects/pacf.html
>
> I would be interested in feedback regarding if (1) the User API is
> generally expressed at a good level, and (2) if this covers the
> functionality that people have implemented, or plan to, for
> interfacing with their network gear.
>
> Any other thoughts are welcome too, of course.
>
> (The details for individual operations aren't cast in stone yet and
> could certainly be adjusted/extended).
>
> Robin
>
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org/robin
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20140619/26b76661/attachment.html
More information about the bro-dev
mailing list