[Zeek-Dev] support for event handlers using a subset of parameters
Seth Hall
seth at corelight.com
Fri Feb 1 09:30:00 PST 2019
On 1 Feb 2019, at 11:24, Robin Sommer wrote:
> It's a nice a idea to relax parameter passing to work by name, and
> allow subsets. However, I can't quite get myself to really like it in
> this form, because it *looks* like an error to not have matching
> argument lists. Is there some syntax that would make it more clear
> what's going on?
I think the change to using names does make things a bit more confusing
for users, but it opens the door for us to greatly improve reliability
of scripts in the long term and generally it feels like a nice way for
analyzer authors to deprecate functionality without needing to create
all new events. In my opinion even though there are hairy side effects
to this I think it's a net positive. It would be great to get case
sensitive versions of dns events and the http header event. That has
been a very long standing deficit.
I guess if there is some more obvious way to do it could make sense, but
I haven't been able to come up with anything after thinking about this
for quite a while.
.Seth
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the zeek-dev
mailing list