[Bro] TimeStamp of Bro output

keqhe at cs.wisc.edu keqhe at cs.wisc.edu
Fri Feb 8 15:00:48 PST 2013


Hi Robin and Vlad,

according to the bro documentation,
http://www.bro-ids.org/documentation/scripts/base/protocols/conn/main.html

there is a 'uid' field in conn.log that is a unique flow identifier. Can
we use uid to identify the same flow in conn.log and http.log/ssl.log?
Timestamp is not suitable for flow identification.

Thanks!
> Correct, and in particular log lines are explicitly not sorted by
> time.
>
> Robin
>
> On Thu, Feb 07, 2013 at 22:31 +0000, Vlad Grigorescu wrote:
>
>> Hi,
>>
>> I believe what you're seeing is a result of how those timestamps are
>> defined.
>>
>> In conn.log[1]: "This is the time of the first packet."
>> In http.log[2]: "Timestamp for when the request happened."
>>
>> The conn record doesn't get written until the connection closes (or
>> times out). It happens during the connection_state_remove[3] event. By
>> handling it at connection close, you get duration, byte/packet counts,
>> etc.
>>
>> Also, the times for when the first packet was seen, and when the actual
>> HTTP request was seen can be slightly off.
>>
>> Does this line up with what you're seeing?
>>
>>   --Vlad
>>
>> [1] -
>> <http://www.bro-ids.org/documentation/scripts/base/protocols/conn/main.html#type-Conn::Info>
>> [2] -
>> <http://www.bro-ids.org/documentation/scripts/base/protocols/http/main.html#type-HTTP::Info>
>> [3] -
>> <http://www.bro-ids.org/documentation/scripts/base/event.bif.html#id-connection_state_remove>
>>
>> On Feb 7, 2013, at 5:11 PM, <keqhe at cs.wisc.edu>
>>  wrote:
>>
>> > HI Everyone,
>> >
>> > We observe that the flows'timestamps in Bro log file are not strcitly
>> in
>> > time order. Also we note that for the same flow, the timestamp in
>> conn.log
>> > and the timestamp in http.log are not the same. Does anyone notice the
>> > problem before and have ideas on this?  Thanks!
>> >
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> --
> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>





More information about the Bro mailing list