Reference Manual: Missing Documentation

From BroWiki

This chapter holds stubs for subjects that have yet to be documented. Some of these are actually already somewhat covered elsewhere in the manual. In addition, a major missing piece for the manual is the Bro language itself; below we mention some Bro language topics that come up elsewhere in the current version of the manual.

The use of prefixes

The tcpdump save file that Bro writes

The bro.init initialization file

Assignment operators such as +=

The notion of redefinition/refinement

The notice/alarm model

Timer management

SYN-FIN filtering

Split routing

Scan dropping

Operator precedence

Partial connections

Packet drops

The load directive

Global statements

Inserting tables into tables

Demultiplexing

Bro init file

Hostnames vs. addresses

The hot-report script

Use of libpcap/BPF

See: bpf,pcap refs FIXME

The problem of evasion

See: ptacek98 paper FIXME

Backscatter

Playing back traces

Discarders

Differences between this release and the previous one

Notice cascade

The need for subtyping

E.g., src addr vs. dst addr, perhaps using attributes.

The need for CIDR masks

The wish list

Known bugs

Execution tracing

Policy analyzers

Trace rewriting

Rule benchmarking

Connection state history recording

Reference Manual Introduction | Getting Started | Values, Types, and Constants | Statements and Expressions Global and Local Variables | Predefined Variables and Functions | Analyzers and Events Signatures | Interactive Debugger | Missing Documentation | References User Manual