[Bro-Dev] Broker::publish API

Jon Siwek jsiwek at corelight.com
Tue Aug 7 11:32:25 PDT 2018


On Mon, Aug 6, 2018 at 1:57 PM Robin Sommer <robin at corelight.com> wrote:

> I have another question about this specific case: we use relay_rr()
> only for sending Intel::insert_indicator. Intel::remove_indicator gets
> published normally through auto_publish(). Why the difference?

Potentially no reason other than no one reviewed whether it had
potential to be optimized in a similar way.  e.g. I first ported
scripts in a direct fashion without trying to change too much
structurally about comm. patterns or doing any optimization except in
cases where a change was specifically talked about.  I only recall
Justin had called out Intel::insert_indicator, so it got changed.

- Jon


More information about the bro-dev mailing list