[Zeek] Replacing the &synchronized attribute in 2.6

Michał Purzyński michalpurzynski1 at gmail.com
Thu Mar 14 19:42:56 PDT 2019 

Thanks - this is exactly what I was Googling for (and could not find).

On Thu, Mar 14, 2019 at 11:25 AM Samuel Oehlert <soehlert at es.net> wrote:

> Mike Dopheide wrote a blog post (on the Zeek blog) about that exact topic
> not too long ago. He had spent a lot of time at work fixing a bug with one
> of our policies and had this deep dive in the process. It's a good read.
>
> https://blog.zeek.org/2018/07/broker-is-coming-part-2-replacing.html
>
> - Sam
>
> On Thu, Mar 14, 2019 at 1:19 PM Michał Purzyński <
> michalpurzynski1 at gmail.com> wrote:
>
>> Thanks, using the configuration framework is easier indeed.
>>
>> Just for the sake of discussing some broker code - do we have examples
>> how people replace the &synchronized attribute?
>>
>> On Thu, Mar 14, 2019 at 6:00 AM Hosom, Stephen M <hosom at battelle.org>
>> wrote:
>>
>>> Michal,
>>>
>>>
>>> For the use case in your email, the best option available to you is the
>>> Configuration Framework.
>>>
>>>
>>> https://docs.zeek.org/en/stable/frameworks/configuration.html
>>>
>>>
>>> # First file:
>>>
>>> module TestModule;
>>>
>>> export {
>>>
>>> option whitelist_scan_ip: set[subnet] = {};
>>>
>>> redef Config::config_files += { "/path/to/my/config.dat" };
>>>
>>> }
>>>
>>>
>>> # /path/to/my/config.dat:
>>>
>>> TestModule::whitelist_scan_ip = 10.1.2.0/24,10.1.3.0/24,10.1.4.0/24
>>>
>>>
>>>
>>> Thanks,
>>>
>>> Stephen
>>>
>>> ________________________________
>>> From: zeek-bounces at zeek.org <zeek-bounces at zeek.org> on behalf of Jan
>>> Grashöfer <jan.grashoefer at gmail.com>
>>> Sent: Thursday, March 14, 2019 6:02:35 AM
>>> To: zeek at zeek.org
>>> Subject: Re: [Zeek] Replacing the &synchronized attribute in 2.6
>>>
>>> Message received from outside the Battelle network. Carefully examine it
>>> before you open any links or attachments.
>>>
>>> On 14/03/2019 10:43, Michał Purzyński wrote:
>>> > do we have any example how to replace the old &synchronized attribute
>>> in
>>> > the new Broker-powered world? I looked at the documentation (it's
>>> extremely
>>> > verbose) and found nothing that I could relate to.
>>>
>>> https://docs.zeek.org/en/stable/frameworks/broker.html#porting-guide
>>>
>>> I guess data stores are the way to go.
>>> Jan
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>
>>> _______________________________________________
>>> Zeek mailing list
>>> zeek at zeek.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>>>
>> _______________________________________________
>> Zeek mailing list
>> zeek at zeek.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/zeek/attachments/20190314/335cb77d/attachment.html

More information about the Zeek mailing list