[Bro-Dev] [Proposal] Language extensions for better Broker support
Azoff, Justin S
jazoff at illinois.edu
Fri Dec 2 06:19:12 PST 2016
> On Dec 1, 2016, at 9:39 PM, Robin Sommer <robin at icir.org> wrote:
>
> Bro's current Broker framework has a few pretty inelegant API parts
> because Bro's scripting language doesn't support some of its
> operations well currently. I've put some thoughts together on
> potential language extensions to improve the situation and come to a
> nicer Broker framework API:
>
> https://www.bro.org/development/projects/broker-lang-ext.html
>
> Feedback welcome, this is just a first draft.
>
> Robin
Asynchronous executions without when: yes!
Was just talking to Vlad about this yesterday. The examples get even worse as soon as you need to do more than one broker operation in sequence. Something like this with when statements would be unmaintainable:
#Check to see if any of these keys exists
local v1 = Broker::lookup(h, 41);
local v2 = Broker::lookup(h, 42);
local v3 = Broker::lookup(h, 43);
if (v1 || v2 || v3) {
Broker::set(h, ...)
}
Or I could see a trivial example like this for counting things per day:
event connection_established(c: connection)
{
# not hardcoded ideally..
Broker::inc(h, fmt("connections:2016-12-02:addr:%s, c$id$orig_h), 1);
Broker::inc(h, fmt("connections:2016-12-02:addr:%s, c$id$resp_h), 1);
Broker::inc(h, fmt("connections:2016-12-02:port:%s, c$id$orig_p), 1);
Broker::inc(h, fmt("connections:2016-12-02:port:%s, c$id$resp_p), 1);
}
Having a way to send a batch of operations would be nice, but that's a separate issue :-)
--
- Justin Azoff
More information about the bro-dev
mailing list