[Bro-Dev] Call for opinions on logging framework syntax problem

Bernhard Amann bernhard at ICSI.Berkeley.EDU
Tue Nov 29 21:19:50 PST 2011

No, I have no real concrete example… I just tried to think of things people might perhaps want to do. And the use-case of having a set of ports for one IP did not seem too far fetched.


On Nov 29, 2011, at 8:24 PM, Seth Hall wrote:

> On Nov 29, 2011, at 11:06 PM, Bernhard Amann wrote:
>> When adding the protocol directly to the port information, the log line would e.g. look like
>> 53/udp,80/tcp,8080/tcp
> This is definitely one place where the email I just sent breaks down.  It's the port value used outside of the context of a conn_id value.  Do you have a concrete example of when you'd want to do something like this?  I suspect that if you wanted to do that it would actually be better to organize your data in a different way.  Like this:
> #fields host	port	proto
>	53	udp
>	80	tcp
>	8080	tcp
>  .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/

More information about the bro-dev mailing list