[Bro-Dev] Call for opinions on logging framework syntax problem
Seth Hall
seth at icir.org
Tue Nov 29 20:19:14 PST 2011
On Nov 29, 2011, at 10:04 PM, Gregor Maier wrote:
> I'm wondering whether we should maybe start including the protocol in
> the same column in the log files. I.e., the column would then be
> "80/tcp"….
I don't like this since no databases have an analogous data type and integers are nice and searchable.
> Or we could handle ports similar to embedded records in the log file.
> I.e., if we log a port variable named "orig_p" we would get two columns:
> orig_p.port orig_p.proto
> I actually like this variant!
I like this too, but I get the sense that the protocol should actually be an attribute of the conn_id type and not a part of each port value. If we started using counts for port values (and get rid of the port type?) and add a $proto field to conn_id does that break any existing assumptions within the language? There are a number of cases where the port type has caused me grief for various reasons but I'm not sure if there is some deeper functionality I'm missing that we would lack with this change.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20111129/abb5be77/attachment.bin
More information about the bro-dev
mailing list