[Bro-Dev] Offline Broker usage (Re: [Bro-Commits] [git/bro] topic/actor-system: Fix Known scripts to be able to use alternate implemenation (50e1498))

Jon Siwek jsiwek at corelight.com
Thu Mar 8 09:50:18 PST 2018


On Thu, Mar 8, 2018 at 11:12 AM, Robin Sommer <robin at corelight.com> wrote:

> That brings up an interesting question on data store semantics in
> offline vs online mode. Ideally, there wouldn't be any difference
> between the two operation modes, so that running on a trace gives
> exactly the same results as online. That would match how Bro generally
> operates.

Yeah, that's ideal.  I was mostly eager to get into a stable "all
tests pass" state with this possibly temporary commit.

> Could we make data store expiration driven by network time?
> That'd need an API for Bro to drive Broker time forward. And for the
> initialization, maybe Bro could wait for the initialization to finish?

Those were also my basic thoughts, though needs investigation to try
things out (it's on my todo list).

> Are there other differences with stores between online and offline
> operation?

Not that I've found yet.

- Jon


More information about the bro-dev mailing list