Notice::Info$src

I know we've talked about this a few times, but I don't remember what
the final verdict was: what's the semantics of the "src" field in
Notice::Info now?

The comment says:

    ## Source address, if we don't have a :bro:type:`conn_id`.
    src: addr &log &optional;

But the Server_Found notice sets it like this:

    NOTICE([$note=Server_Found,
        $msg=fmt("%s: %s server on port %s%s", c$id$resp_h, s, c$id$resp_p, (known ? " (update)" : "")),
        $p=c$id$resp_p, $sub=s, $conn=c,
        $src=c$id$resp_h, $n=a]);

Robin

I know we've talked about this a few times, but I don't remember what
the final verdict was: what's the semantics of the "src" field in
Notice::Info now?

More or less I stuck with the semantics that you had laid down. $src is dually used (and obviously not documented well inline as you noticed) as the "source" address for packets/connection, but in the event that the notice is an attribute of a host the $src field is used for holding that address. I don't feel like it's very optimal, but so far it's actually been working pretty well.

Are you reading the notice framework documentation I pushed out last night?

But the Server_Found notice sets it like this:

   NOTICE([$note=Server_Found,
       $msg=fmt("%s: %s server on port %s%s", c$id$resp_h, s, c$id$resp_p, (known ? " (update)" : "")),
       $p=c$id$resp_p, $sub=s, $conn=c,
       $src=c$id$resp_h, $n=a]);

This is due to lingering inconsistency with notices that were written before I really started getting little conceptual issues like this surrounding the notice framework nailed down. We should probably make another round of assessment of the notices before 2.0-release. This was partly why I really wanted to get the new notice framework documented, I wanted everyone else to understand the slightly refined approach to notices I was taking.

  .Seth

Will do. This came up when I saw alarm summaries claiming
Server_Founds to be about a connection "A -> A" due to using $src for
the origniator.

Robin