[Bro-Dev] Looking on feedback on PACF/reaction framework

Vlad Grigorescu vlad at grigorescu.org
Thu Jun 19 12:21:42 PDT 2014 

This lines up pretty well with the features that I'd want from this. I
think the API is at a good level to be usable yet customizable.

A few comments I had:

- I believe Rule$target should be of type Target and not TargetType (which
is undefined).

- Some other options to consider for EntityType:
    * Subnet
    * MAC address
    * User? (I believe some devices allow filtering based on user, if they
authenticate via VPN, 802.1X or something similar)

- Should Rule have both orig and resp Entity fields? i.e. I could see a use
case for filtering traffic from an IP, to it, or both.

- More generally, should Rule have an optional BPF? Perhaps this is one of
the use cases of arg_str.

I've also been considering a feature that would allow a clean shutdown of a
worker node. I'm not sure if this would be even remotely possible, or if
it'd be a job for the PACF, but what I envision is Bro reaching out to the
hardware frontend, removing one of the active output ports from the load
balancing, and somehow transferring state on the in-progress connections to
the other workers. The reverse would also be nice (adding a worker node),
though there'd be more state to transfer.

  --Vlad



On Thu, Jun 19, 2014 at 2:41 PM, Robin Sommer <robin at icir.org> wrote:

>
> I have revised the proposed API a bit, see
>
>     http://www.bro.org/development/projects/pacf.html
>
> I would be interested in feedback regarding if (1) the User API is
> generally expressed at a good level, and (2) if this covers the
> functionality that people have implemented, or plan to, for
> interfacing with their network gear.
>
> Any other thoughts are welcome too, of course.
>
> (The details for individual operations aren't cast in stone yet and
> could certainly be adjusted/extended).
>
> Robin
>
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 *     robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 * www.icir.org/robin
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20140619/26b76661/attachment.html

More information about the bro-dev mailing list