I am reviewing my source code and scripts for the ICAP Analyzer that I
presented last week at BroCon, with the intent of releasing the new analyzer to
the Bro community. There is one key aspect which I designed a certain way, but
I wonder if it would be acceptable by the community or if it would introduce
problems. I appreciate your feedback.
In the 'main.bro' script for the ICAP Analyzer, I redefine the 'conn_id' record
to include a new element, as follows:
redef record conn_id += {
orig_u : string &log &optional;
}
where 'orig_u' is derived from the ICAP header 'X-Authenticated-User' and is
associated with the userid on the local domain that originated the HTTP request.
At the time I wrote the code, it made perfect sense to extend the 'conn_id'
record to include the 'orig_u' element, and it works very well in my
operational environment. However, now that I am preparing to release the code
to a wider audience, it occurs to me that perhaps it may not be acceptable to
the community of users to extend the 'conn_id' record. To be clear, the
'orig_u' element would be present within every log file that records the
'conn_id' record, such as http.log, ftp.log, dns.log, etc. However, the values
are meaningful only for http.log. In the other log files, the 'orig_u' column
would contain a dash '-' value indicating the value is unset.
Design guidance: is it acceptable to redefine/extend the 'conn_id' record as
described above?
I appreciate your feedback.
Thanks!
Mark I. Fernandez
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
