[Bro] connection_status_update for inactive flows
Seth Hall
seth at icir.org
Mon Feb 4 12:03:34 PST 2013
On Feb 4, 2013, at 2:02 PM, David Mandelberg <dmandelb at bbn.com> wrote:
> One more question: What's the best way for a script to handle
> connection_status_update_interval? Would it offend site administrators
> or other script authors for my script to redef it to a value that works
> for that script?
I would approach the problem differently, I *really* don't like the connection_status_update event because of the global change as you've noticed. Are you familiar with scheduled events?
You could implement your script like this…
module MyModule;
export {
## The period of delay for all established connections
## before rechecking them for whatever I'm checking them for.
const checkup_interval = 5sec;
}
event MyModule::regular_check(c: connection)
{
# Do your check you would have previously done in connection_status_update
print c$uid;
# Reschedule this event.
schedule checkup_interval { MyModule::regular_check(c) };
}
event connection_established(c: connection)
{
# Schedule the event that does the check.
schedule checkup_interval { MyModule::regular_check(c) };
}
Does that work for what you're trying to do?
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list