Jon, I noticed your commit message on data store expiration:
Author: Jon Siwek <jsiwek(a)corelight.com>
Date: Wed Mar 7 21:24:46 2018 -0600
Fix Known scripts to be able to use alternate implemenation
And run the external test suite using the alternate implementation
due to data stores behaving differently when running on offline pcaps.
E.g. expirations are based on wall time, not packet time, and timeouts
(which *are* based on packet time) may occur when the store is still
initializing due to a large interval of packet time passing.
That brings up an interesting question on data store semantics in
offline vs online mode. Ideally, there wouldn't be any difference
between the two operation modes, so that running on a trace gives
exactly the same results as online. That would match how Bro generally
operates. Could we make data store expiration driven by network time?
That'd need an API for Bro to drive Broker time forward. And for the
initialization, maybe Bro could wait for the initialization to finish?
Although I'm not quite sure here which initialization that refers too,
may not be feasible.
Are there other differences with stores between online and offline
Robin Sommer * Corelight, Inc. * robin(a)corelight.com * www.corelight.com