Hi everybody,
I think it would be nice to be able to update a user-defined signature file without restarting zeek, possibly using the input framework. However, I believe this is not available yet nor it seems easy to implement. After a quick look at the code, it is my understanding that the rule parsing is done for signature files using bison/yacc machinery. Signature files are loaded and parsed when starting zeek, in main.cc.
It would save me a great deal of time if somebody could tell me how easy it would be to implement this feature and point me in the right direction.
Thanks in advance,
Mauro
Hello, Palumbo!
I'm not sure about the rule parsing but it might help to know that the
input framework is capable of re-reading files:
https://docs.zeek.org/en/stable/frameworks/input.html#re-reading-and-streaming-data
Sorry if that's not much help, it's just a recent feature that I came
across that may be useful to you.
Regards,
cmh
Hi Christopher,
I am aware of the input framework feature REREAD and in fact I already used it for other files. However, it is my understanding that this cannot be used for signatures files. But I'll be glad to be wrong on this point... 
Thanks
Mauro
-----Messaggio originale-----
Very well! Sorry for misunderstanding the scope. I'm sure someone will
be able to fill us both in on possible options!
cmh