[Zeek] Replacing the &synchronized attribute in 2.6

Samuel Oehlert soehlert at es.net
Thu Mar 14 11:25:11 PDT 2019 

Mike Dopheide wrote a blog post (on the Zeek blog) about that exact topic
not too long ago. He had spent a lot of time at work fixing a bug with one
of our policies and had this deep dive in the process. It's a good read.

https://blog.zeek.org/2018/07/broker-is-coming-part-2-replacing.html

- Sam

On Thu, Mar 14, 2019 at 1:19 PM Michał Purzyński <michalpurzynski1 at gmail.com>
wrote:

> Thanks, using the configuration framework is easier indeed.
>
> Just for the sake of discussing some broker code - do we have examples how
> people replace the &synchronized attribute?
>
> On Thu, Mar 14, 2019 at 6:00 AM Hosom, Stephen M <hosom at battelle.org>
> wrote:
>
>> Michal,
>>
>>
>> For the use case in your email, the best option available to you is the
>> Configuration Framework.
>>
>>
>> https://docs.zeek.org/en/stable/frameworks/configuration.html
>>
>>
>> # First file:
>>
>> module TestModule;
>>
>> export {
>>
>> option whitelist_scan_ip: set[subnet] = {};
>>
>> redef Config::config_files += { "/path/to/my/config.dat" };
>>
>> }
>>
>>
>> # /path/to/my/config.dat:
>>
>> TestModule::whitelist_scan_ip = 10.1.2.0/24,10.1.3.0/24,10.1.4.0/24
>>
>>
>>
>> Thanks,
>>
>> Stephen
>>
>> ________________________________
>> From: zeek-bounces at zeek.org <zeek-bounces at zeek.org> on behalf of Jan
>> Grashöfer <jan.grashoefer at gmail.com>
>> Sent: Thursday, March 14, 2019 6:02:35 AM
>> To: zeek at zeek.org
>> Subject: Re: [Zeek] Replacing the &synchronized attribute in 2.6
>>
>> Message received from outside the Battelle network. Carefully examine it
>> before you open any links or attachments.
>>
>> On 14/03/2019 10:43, Michał Purzyński wrote:
>> > do we have any example how to replace the old &synchronized attribute in
>> > the new Broker-powered world? I looked at the documentation (it's
>> extremely
>> > verbose) and found nothing that I could relate to.
>>
>> https://docs.zeek.org/en/stable/frameworks/broker.html#porting-guide
>>
>> I guess data stores are the way to go.
>> Jan
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190314/6877d4e6/attachment-0001.html

More information about the Zeek mailing list