mirror of
https://github.com/zeek/zeek.git
synced 2025-10-02 14:48:21 +00:00
d3f88ba9d1
The MHR script involves a "when" statement which can be expensive due to the way it clones frames/vals. In this case, the fa_file record is expensive to clone, but this change works around that by unrolling only the necessary fields from it that are needed to populate a Notice::Info record. A drawback to this is that the full fa_file or connection records aren't available in the Notice::Info record when evaluating Notice::policy hooks for MHR hit notices (though they can possibly be recovered by using e.g. the lookup_connection() builtin_function). |
||
|---|---|---|
| .. | ||
| communication | ||
| control | ||
| dpd | ||
| files | ||
| intel | ||
| packet-filter | ||
| signatures | ||
| software | ||