new bro "CURRENT" release - 0.8a57
mtdedlow at lbl.gov
Fri Dec 12 11:27:51 PST 2003
>>Will <service> still contain port numbers? Or will "other-nnnnn" become
>>simply "other"? (that would be my preference)
> Good point. As implemented, it continues to be other-nnnnn, but I think
> just plain "other" makes more sense, since we now can finally cleanly separate
> the notion of service from the notion of port.
It's cleaner, but is it really separated internally, or just in the logs?
I confess (and probably reveal) my near total BRO ignorance, but isn't
service just mapped from port number in some (many?) cases? Even if
so, the separation is valuable and clearly necessary where not so,
but I wonder if it wouldn't be useful to have some indication of those
connections that BRO has determined the service of (via inspection)
versus merely inferring the service from a port:name lookup table.
Put another way (my interest), it's my impression that sometimes the
service field contains additional information and sometimes it doesn't.
Is that correct? If so, would indicating this in the log be worthwhile?
PS. any consideration of making the log format a config spec:
red_log_format: "%time %duration %service %oip %rip %bytes %rbytes ...."
maybe little value... just a thought.
More information about the Bro