[Bro-Dev] attributes & named types
Vlad Grigorescu
vlad at es.net
Mon Nov 5 09:20:00 PST 2018
On Mon, Nov 5, 2018 at 4:40 PM Robin Sommer <robin at corelight.com> wrote:
>
>
> On Sat, Nov 03, 2018 at 21:58 +0000, Vlad Grigorescu wrote:
>
> > In my mind, if the keyword is applied to a record, I would expect any new
> > fields added to that record to also be logged.
>
> I believe the reason for not doing that is that then one couldn't add
> a field that's *not* being logged (because currently we don't have
> remove-an-attribute support).
>
Yeah, I think the reasoning makes sense, and that seemed to be the
consensus from the discussion on bro-dev in 2011. My point is simply that
with the current behavior, it's not clear (or, AFAICT, documented) that
adding &log to a record is just a shorthand for adding &log to each
attribute, and that it really has no meaning for the record as a whole.
--Vlad
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20181105/61af9377/attachment.html
More information about the bro-dev
mailing list