[Bro-Dev] ICAP Analyzer Design Guidance
Fernandez, Mark I
mfernandez at mitre.org
Wed Sep 21 14:03:27 PDT 2016
I am reviewing my source code and scripts for the ICAP Analyzer that I presented last week at BroCon, with the intent of releasing the new analyzer to the Bro community. There is one key aspect which I designed a certain way, but I wonder if it would be acceptable by the community or if it would introduce problems. I appreciate your feedback.
In the 'main.bro' script for the ICAP Analyzer, I redefine the 'conn_id' record to include a new element, as follows:
redef record conn_id += {
orig_u : string &log &optional;
}
where 'orig_u' is derived from the ICAP header 'X-Authenticated-User' and is associated with the userid on the local domain that originated the HTTP request.
At the time I wrote the code, it made perfect sense to extend the 'conn_id' record to include the 'orig_u' element, and it works very well in my operational environment. However, now that I am preparing to release the code to a wider audience, it occurs to me that perhaps it may not be acceptable to the community of users to extend the 'conn_id' record. To be clear, the 'orig_u' element would be present within every log file that records the 'conn_id' record, such as http.log, ftp.log, dns.log, etc. However, the values are meaningful only for http.log. In the other log files, the 'orig_u' column would contain a dash '-' value indicating the value is unset.
Design guidance: is it acceptable to redefine/extend the 'conn_id' record as described above?
I appreciate your feedback.
Thanks!
Mark I. Fernandez
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160921/d1b11764/attachment-0001.html
More information about the bro-dev
mailing list