On Thu, Mar 8, 2018 at 11:12 AM, Robin Sommer <robin(a)corelight.com> wrote:
That brings up an interesting question on data store
offline vs online mode. Ideally, there wouldn't be any difference
between the two operation modes, so that running on a trace gives
exactly the same results as online. That would match how Bro generally
Yeah, that's ideal. I was mostly eager to get into a stable "all
tests pass" state with this possibly temporary commit.
Could we make data store expiration driven by network
That'd need an API for Bro to drive Broker time forward. And for the
initialization, maybe Bro could wait for the initialization to finish?
Those were also my basic thoughts, though needs investigation to try
things out (it's on my todo list).
Are there other differences with stores between online
Not that I've found yet.