[Bro] Global array in context?
Seth Hall
seth at icir.org
Thu May 5 08:21:55 PDT 2016
> On Apr 29, 2016, at 10:21 AM, Luis Martin <martin.liras at gmail.com> wrote:
>
> refine connection UmasTCP_Conn += {
> %member{
> int previous_fcs[256];
> %}
> };
Sorry for not responding previously but I'm glad to hear that you figured out how to get it working!
I do have one design question though (and there is no right answer), are you just taking these function codes and passing them directly into events to be given into script-land? Typically the only case where I collect state in the core like you're doing is when I need that information to continue parsing messages which I believe is probably the case you are in, but you didn't give enough snippets of code to show if that's true.
�
If you lean toward only collecting state in the analyzer when absolutely necessary and otherwise collecting all state in scripts, it frequently makes pushing things forward more flexible because it's typically much easier and faster to collect and expunge state in scripts that it is in the core.
Congratulations on working out your own problem, I know it can be really painful sometimes. :)
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list