[Bro-Dev] Module prefix in sending and receiving Broker events

Jon Siwek jsiwek at corelight.com
Wed Sep 12 08:30:57 PDT 2018


On Wed, Sep 12, 2018 at 10:09 AM Matthias Vallentin <vallentin at icir.org> wrote:
>
> When I receive events from Bro via Broker, they have the prefix of the
> enclosing module:
>
>     module Foo;
>
>     event foo() { ... }
>     event bar() { ... }
>
> When I publish "foo" via Broker, it arrives as "Foo::foo". However, when
> I publish an event "Foo::bar" from Broker, Bro doesn't recognize it. I
> must published it as "bar" - without the module prefix. Is this
> intentional?

Maybe not so much intentional, but expected at this point.  Does the
suggestion [1] to always explicitly scope events by their
namespace/module address your problem?  There's some longstanding
oddities [2] with the way events interact with module namespacing.

- Jon

[1] https://www.bro.org/sphinx-git/frameworks/broker.html#a-reminder-about-events-and-module-namespaces
[2] https://bro-tracker.atlassian.net/browse/BIT-71


More information about the bro-dev mailing list