[Bro-Dev] Module prefix in sending and receiving Broker events
Jon Siwek
jsiwek at corelight.com
Thu Sep 13 10:00:54 PDT 2018
On Thu, Sep 13, 2018 at 4:28 AM Matthias Vallentin <vallentin at icir.org> wrote:
>
> > Does the
> > suggestion [1] to always explicitly scope events by their
> > namespace/module address your problem?
>
> That's what I thought would work, but it's the opposite: when I add
> the module name as prefix, Bro silently ignores the event.
So [1] didn't work...
> As mentioned in your reference [1], explicit module qualification works as well:
>
> event Foo::foo() { ... }
But [1] also worked? :)
> I'm essentially running into the inverse of BIT-71, the ticket you referenced.
Yeah, I think I see how it's the reverse of the original example, but
it's likely the same underlying module/namespacing ambiguities with
events, so I'd still suggest explicitly scoping events always and
everywhere (which was the [1] suggestion).
It might also help if you send actual examples that can be run if that
still doesn't work because it's hard to interpret what you mean by
"publish via Broker". That could mean Bro's Broker::publish() API or
the standalone Broker API itself and they are potentially different.
> I found a
> surprising solution though: if I declare the event first, then it
> works. Here's an example:
>
> module Foo;
> global foo: event();
> event foo() { ... }
>
> This works as expected: when I create an event with name Foo::foo, the
> handler gets dispatched. Without the declaration, it doesn't work.
Sure, but that's also not the [1] suggestion either. Adding the
namespace scoping always and everywhere means to the event
declaration, the handlers, event/schedule dispatching, any strings
that contain the event name, etc.
- Jon
More information about the bro-dev
mailing list