[Bro-Dev] ICAP Analyzer Design Guidance

Fernandez, Mark I mfernandez at mitre.org
Wed Sep 21 14:03:27 PDT 2016


I am reviewing my source code and scripts for the ICAP Analyzer that I presented last week at BroCon, with the intent of releasing the new analyzer to the Bro community.  There is one key aspect which I designed a certain way, but I wonder if it would be acceptable by the community or if it would introduce problems.  I appreciate your feedback.

In the 'main.bro' script for the ICAP Analyzer, I redefine the 'conn_id' record to include a new element, as follows:

                redef record conn_id += {
orig_u : string &log &optional;
                }

where 'orig_u' is derived from the ICAP header 'X-Authenticated-User' and is associated with the userid on the local domain that originated the HTTP request.

At the time I wrote the code, it made perfect sense to extend the 'conn_id' record to include the 'orig_u' element, and it works very well in my operational environment.  However, now that I am preparing to release the code to a wider audience, it occurs to me that perhaps it may not be acceptable to the community of users to extend the 'conn_id' record.  To be clear, the 'orig_u' element would be present within every log file that records the 'conn_id' record, such as http.log, ftp.log, dns.log, etc.  However, the values are meaningful only for http.log.  In the other log files, the 'orig_u' column would contain a dash '-' value indicating the value is unset.

Design guidance: is it acceptable to redefine/extend the 'conn_id' record as described above?

I appreciate your feedback.

Thanks!
Mark I. Fernandez
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160921/d1b11764/attachment-0001.html 


More information about the bro-dev mailing list