[Bro-Dev] Configurable &write_expire interval

Jan Grashöfer jan.grashoefer at gmail.com
Thu May 26 14:42:20 PDT 2016


Hi,

I ran into an issue while trying to make the &write_expire interval
configurable: Using a redefable constant does not work here, as the
expression only gets evaluated when the table is initialized and thus
later redefs do not influence the value. I thought about circumventing
this by setting the value to 0 and maintain an extra variable to check
against in my expire_func and return the right value. Unfortunately this
won't work with write/read_expire as a write or read will reset the
expiration to the initial value of 0.

A solution could be to evaluate the interval expression every time it is
used inside the table implementation. The drawback would be that there
is no fixed value for serialization (I am not sure about the effects
here). Another solution would be to provide a bif (or implement a
language feature) to change the expire_time value from inside the
expire_func.

There was a somehow similar discussion about per item expiration (see
http://mailman.icsi.berkeley.edu/pipermail/bro-dev/2016-April/011731.html)
in which Robin came up with the solution of multiple tables with
different expiration values. Again this would be a solution but doesn't
feel right (duplicate code, static and somehow counterintuitive for the
user). By the way: This is again about intel expiration. This time I
thought I'll keep it simple and just have one user-defined expiration
value for all items :D

Maybe I am missing something regarding the loading sequence of scripts
and this problem could be solved easier. So I am open for any
suggestions or feedback!

Best regards,
Jan


More information about the bro-dev mailing list