[Bro] Attributes and Ports Questions

Robin Sommer robin at icir.org
Thu Oct 30 07:53:58 PDT 2014


Hi Anthony,

have you seen this page?

https://www.bro.org/sphinx-git/script-reference/attributes.html

It's pretty new (though maybe it's actually where your questiosns are
coming from :)

To add a bit to that:

On Tue, Oct 28, 2014 at 18:10 -0700, anthony kasza wrote:

> &rotate_interval
> &rotate_size

This used to be primary log rotation mechanism before we switched to
the new logging system/format. I've been wondering if we should just
remove these attributes.

> &mergeable
> &synchronize (I think there was a post earlier last month about this one)
> &persistent

These are going to go away, but we aren't there yet. We may start
deprecating them with the next release, which is scheduled to ship
with a first version of their replacement, the new Broker library.

> &group

A bit of an obscure feature, originally added to toggle selected sets
of analysis dynamically from BroControl. Don't think that's used
anywhere and I'm inclined to remove it.

> &add_func
> &delete_func

These aren't used very often, but can be useful in individual cases.

> &encrypt (applying this to a file causes Bro to "elegantly terminate" for me)
> bro -Ci eth0 -e 'global f1: file = open("f.out") &encrypt'

Another relict from old-style logging, although the new framework
doesn't have any equivalent functionality yet.

Mind filing a ticket for the crash? We should either fix it or remove
the attribute.

Robin

-- 
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin



More information about the Bro mailing list