Comments (4)
Not a blocker, but would be a substantial improvement.
from zeek.
I might take a stab at this.
After looking at the code for a bit - I think there are two potential ways to solve this.
The first one was already noted by Jon - moving notice processing to workers. I am currently tempted to do this one - however this, in theory, could make it more difficult for users to write notice policies (they will only have local state available for the policies).
The second solution would be to change the datastructures that are being sent over the network - so that they are smaller and do not by default contain the full connection record, etc. This obviously comes with the disadvantage that users won't have as much state available in their policies).
Both approaches break compatibility a bit - at the moment I think that the first one (do the work mostly on the workers) is the more appealing one.
from zeek.
I agree that the 1st one seems more appealing; it sounds conceptually right, as it's in line with how other stuff works in the cluster (like log processing). It does raise a major backwards compatibility concern, though; it's just sufficiently convenient to not have to consider cluster issues for notice processing that I'm sure it's been relied on out there somewhere. Not quite sure what to do about it other than warn in NEWS.
from zeek.
I tried this and it actually turned out to not rally be very invasive to just move this over to the workers.
Code in branch topic/johanna/gh-214-notice-on-workers or in pull-request #440
One difference is that there now is a chance that notices will not be suppressed immediately - they only will be suppressed once the suppression notice has been distributed over the cluster. I don't really think that is a huge problem though.
from zeek.
Related Issues (20)
- Analyzer disabled upon startup HOT 1
- Trailing semicolon in script erroneously reports syntax error on the next script HOT 3
- Memory corruption when running custom analyzer HOT 1
- Spicy: Using `replaces` with a mismatching transport-layer analyzer can lead to crashes
- 6.2.1 worker crashes with zeek::analyzer::http::HTTP_Entity::Deliver(int, const char*, bool): Assertion `! trailing_CRLF' failed. HOT 5
- zeek 6.2.1, [ZeekControl] > start : error in /opt/zeek/share/zeek/policy/frameworks/control/controllee.zeek, line 13: syntax error, at or near "module" HOT 2
- Display tags for Spicy analyzers HOT 2
- Coredump 6.2.0: obj.h:166 zeek::Ref (o=0x0) HOT 1
- Core dump on running script that modifies connection record in log_stream_policy HOT 8
- 7.0.0-rc1 cmake error HOT 23
- Mismatch between `|...|` operator and what's returned for `enum`s and `port`s HOT 1
- Segfault: Input-framework ( coredumps with 7.0.00-rc1 ) HOT 1
- "non-void function returning without a value" when returning from a `when`-block HOT 2
- opensuse zeek repos don't install on Fedora-40 - key error HOT 2
- Deprecate certificate-less TLS for broker HOT 4
- LDAP SPNEGO NTLM not parsed properly
- DNS Dynamic Update: Produces weird and is not confirmed HOT 1
- DNS TKEY support
- Add fuzzer for spicy LDAP analyzer
- Add fuzzing for caplen and packet loss HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zeek.