[Bro-Dev] 'async' update and proposal
Jon Siwek
jsiwek at corelight.com
Tue Jan 30 08:28:01 PST 2018
On Tue, Jan 30, 2018 at 9:38 AM, Robin Sommer <robin at icir.org> wrote:
> An attribute can work if we're confident that the relevant information
> can always be extracted from the event parameters. In a concurrent
> prototype many years ago we instead used a hardcoded set of choices
> based on the underlying connection triggering the event (5-tuple, host
> pair, src IP, dst IP). So you'd write (iirc):
>
> event protocol_event_1(c: connection ...) &scope = connection
>
> That detaches the context calculation from event parameters, with the
> obvious disadvantage that it can't be customized any further. May be
> there's some middle ground where we'd get both.
Yeah, it seems open to having multiple methods available for the user
to choose from: dynamic call to script-land, dynamic calculation in
core (select from predefined list), or even a static value (not that I
can think of a particular place that would actually use that right
now).
Was there more benefit of using the predefined choice than saving the
overhead of calling out to script-land to do the context calculation?
- Jon
More information about the bro-dev
mailing list