> If one
> could express such analyses easily with a few lines of script code,
> that would be quite powerful for doing script inspection that's also
> easy to customize.
Well sure, but it's not clear one can get to that point without some
significant work under the hood anyway in terms of the fea
On Thu, May 26, 2016 at 07:41 -0700, you wrote:
> I wonder if they don't use it because it's not on their radar. It's
> actually pretty handy,
I see that in principle but hardcoding the functionality in C++-land
doesn't seem to be the ideal way to go about things like this. If one
could expres
> Just removing this specific use
> of finding NOTICEs, which doesn't seem anybody has been using in a
> long time.
I wonder if they don't use it because it's not on their radar. It's
actually pretty handy, a way of telling when you think the set of NOTICEs
should be X, but it's actually X'. Can
> On May 26, 2016, at 10:15 AM, Robin Sommer wrote:
>
>
>
> On Wed, May 25, 2016 at 20:56 -0700, you wrote:
>
>> Well it's there in CHANGES, per the appended. But yeah looks like it never
>> went anywhere beyond the original instigation, so I think removing it is
>> okay.
>
> Ah, I didn't
On Wed, May 25, 2016 at 20:56 -0700, you wrote:
> Well it's there in CHANGES, per the appended. But yeah looks like it never
> went anywhere beyond the original instigation, so I think removing it is okay.
Ah, I didn't realize this is what originally introduced the whole
traversal machinery. T
> Does anybody remember what Bro's option -z is for?
Well it's there in CHANGES, per the appended. But yeah looks like it never
went anywhere beyond the original instigation, so I think removing it is okay.
OTOH, it's a pretty handy general notion, so instead pushing it further
strikes me as also
Does anybody remember what Bro's option -z is for?
-z|--analyze | run the specified policy file analysis
Turns out the only supported "analysis" is "notice":
# bro -r x.pcap -z notice
Found NOTICE: PacketFilter::Dropped_Packets
Found NOTICE: PacketFilter::Install_Failure
Found NOTICE
