-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
More flexible signature "event" interface #3403
Labels
Comments
awelzel
added a commit
that referenced
this issue
Nov 29, 2023
This change allows to specify a per signature specific event, overriding the default signature_match event. It further removes the message parameter from such events if not provided in the signature. Closes #3403
awelzel
added a commit
that referenced
this issue
Nov 29, 2023
This change allows to specify a per signature specific event, overriding the default signature_match event. It further removes the message parameter from such events if not provided in the signature. Closes #3403
awelzel
added a commit
that referenced
this issue
Nov 30, 2023
This change allows to specify a per signature specific event, overriding the default signature_match event. It further removes the message parameter from such events if not provided in the signature. This also tracks the message as StringValPtr directly to avoid allocating the same StringVal for every DoAction() call. Closes #3403
awelzel
added a commit
that referenced
this issue
Dec 4, 2023
This change allows to specify a per signature specific event, overriding the default signature_match event. It further removes the message parameter from such events if not provided in the signature. This also tracks the message as StringValPtr directly to avoid allocating the same StringVal for every DoAction() call. Closes #3403
awelzel
added a commit
that referenced
this issue
Dec 4, 2023
This change allows to specify a per signature specific event, overriding the default signature_match event. It further removes the message parameter from such events if not provided in the signature. This also tracks the message as StringValPtr directly to avoid allocating the same StringVal for every DoAction() call. Closes #3403
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Discussed in #3372
Originally posted by vpax October 12, 2023
Currently, Zeek's signature framework supports the generation of a single event:
and when writing signatures, all that's specified is the
msg
that goes with that event:We've been developing Zeek scripts that need to dispatch on the particular signature matched. Currently this requires a bunch of comparisons of
msg
(and these can happen in different instances ofsignature_match
event handlers, depending on the modularity associated with the content). An extension to deal with this would be to allow theevent
specifier in a signature to optionally be the name of an event to generate, rather than a string to associate with it:(the
event
value could instead be a string like now, in which casesignature_match
is generated), or perhaps:where the given event would have to have a common type signature (which for the second example could be the same as the
signature_match
event).This seems handy and pretty straightforward to implement. Thoughts?
The text was updated successfully, but these errors were encountered: