Maybe I'm jumping the gun a little bit, but I want to start wrapping my head around the upcoming changes. Let's start by stating my use case... I wanted to stop the repetitive reverse DNS queries caused by ssh/interesting-hostnames.bro by rebuilding known-hosts.bro to include the names, allowing a simple lookup*. I started re-writing the old one and Justin pointed me towards the 'new' version of known-hosts in the topic/actor-system branch.
Looking at the new known-hosts.bro.. 1) My initial gut feeling was that all of the when() calls for insertion could get really expensive on a brand new cluster before the store is populated. 2) Correct me if I'm wrong, but it seems like the check for a host already being in known_hosts (now host_store) no longer exists. As a result, we try to re-insert the host, calling when(), every time we see an established connection with a local host. Which leads me to... 3) How do I retrieve values from the store to test for existence? 4) Assuming that requires another Broker call inside a when(), does it make sense to pull the data store into memory at bro_init() and do a Cluster::publish_hrw? Thanks, Dop * - Yes, on the edges this breaks DNS TTLs, but saves thousands of when() calls to lookup_addr() and our names don't change very frequently.
_______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
