[Bro-Dev] semantics of ts field for known_services?

Seth Hall seth at icir.org
Wed Nov 30 20:06:39 PST 2011


On Nov 30, 2011, at 6:03 PM, Vern Paxson wrote:

> Is this field meant to capture when the determination was made that a given
> service is running somewhere?  For a slice-trace I'm analyzing, I see it's
> on the ACK by the client of the first line sent back by the server.  Not
> quite what I would expect, but also not necessarily any sort of issue.


The semantics of that field are a little fuzzy.  If a protocol was detected, the field contains the time that the analyzer generated the ProtocolConfirmation.  If no protocol was detected, a scheduled event is set for several minutes (I think 5 by default) so that Bro can wait and see if a better connection where a protocol is detected comes along before it goes to log the service.  Hm, I guess the semantics are pretty clear, the ts field always contains the time when the log record was written.  Determining why that happened when it did is a bit fuzzy.

.Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/




More information about the bro-dev mailing list