[Bro] Attributes and Ports Questions
anthony kasza
anthony.kasza at gmail.com
Thu Oct 30 08:44:00 PDT 2014
That page is exactly where my questions are coming from. I tried using each
of the attributes in a few toy scripts and was wondering if people are
using them in production as I could not find some of them used in base or
policy. Thanks for the insight, Robin.
-AK
On Oct 30, 2014 7:54 AM, "Robin Sommer" <robin at icir.org> wrote:
> Hi Anthony,
>
> have you seen this page?
>
> https://www.bro.org/sphinx-git/script-reference/attributes.html
>
> It's pretty new (though maybe it's actually where your questiosns are
> coming from :)
>
> To add a bit to that:
>
> On Tue, Oct 28, 2014 at 18:10 -0700, anthony kasza wrote:
>
> > &rotate_interval
> > &rotate_size
>
> This used to be primary log rotation mechanism before we switched to
> the new logging system/format. I've been wondering if we should just
> remove these attributes.
>
> > &mergeable
> > &synchronize (I think there was a post earlier last month about this one)
> > &persistent
>
> These are going to go away, but we aren't there yet. We may start
> deprecating them with the next release, which is scheduled to ship
> with a first version of their replacement, the new Broker library.
>
> > &group
>
> A bit of an obscure feature, originally added to toggle selected sets
> of analysis dynamically from BroControl. Don't think that's used
> anywhere and I'm inclined to remove it.
>
> > &add_func
> > &delete_func
>
> These aren't used very often, but can be useful in individual cases.
>
> > &encrypt (applying this to a file causes Bro to "elegantly terminate"
> for me)
> > bro -Ci eth0 -e 'global f1: file = open("f.out") &encrypt'
>
> Another relict from old-style logging, although the new framework
> doesn't have any equivalent functionality yet.
>
> Mind filing a ticket for the crash? We should either fix it or remove
> the attribute.
>
> Robin
>
> --
> Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20141030/e20c362d/attachment.html
More information about the Bro
mailing list