> - The PolicyItem model (bottom one) has the ability to halt further
> processing with the $halt attribute of PolicyItems. I don't think I'm
> convinced that this is a huge issue.
I think the same thing could be done with the event-model -- if Notice::Info
just had a boolean field that each event handler body could check and then bail
out early if necessary. And that field could even be something left up to a
user to define in a redef.
> - The evented model has latency from the event queue, but I don't think this
> is a huge issue. The latency is normally ok. Jon, is it an issue for the
> file analysis framework?
I think the latency is a problem in that case since immediate feedback is
helpful if certain actions are to work without buffering incoming file data.
E.g. if the only thing I want to happen is for files to be extracted to disk,
then I wouldn't expect that to require buffering.
It may be workable, but I think the latency does make things more complicated
so it might not make sense to re-use this policy model for the file analysis
framework, but that shouldn't be a showstopper for using it for notices. I
think it's fine to have the policy models be inconsistent, as long as both are
easy to understand and use for their purpose.
Jon
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
