I am reviewing my source code and scripts for the ICAP Analyzer that I 
presented last week at BroCon, with the intent of releasing the new analyzer to 
the Bro community.  There is one key aspect which I designed a certain way, but 
I wonder if it would be acceptable by the community or if it would introduce 
problems.  I appreciate your feedback.

In the 'main.bro' script for the ICAP Analyzer, I redefine the 'conn_id' record 
to include a new element, as follows:

                redef record conn_id += {
orig_u : string &log &optional;

where 'orig_u' is derived from the ICAP header 'X-Authenticated-User' and is 
associated with the userid on the local domain that originated the HTTP request.

At the time I wrote the code, it made perfect sense to extend the 'conn_id' 
record to include the 'orig_u' element, and it works very well in my 
operational environment.  However, now that I am preparing to release the code 
to a wider audience, it occurs to me that perhaps it may not be acceptable to 
the community of users to extend the 'conn_id' record.  To be clear, the 
'orig_u' element would be present within every log file that records the 
'conn_id' record, such as http.log, ftp.log, dns.log, etc.  However, the values 
are meaningful only for http.log.  In the other log files, the 'orig_u' column 
would contain a dash '-' value indicating the value is unset.

Design guidance: is it acceptable to redefine/extend the 'conn_id' record as 
described above?

I appreciate your feedback.

Mark I. Fernandez
bro-dev mailing list

Reply via email to