[Bro] Question about fields in the notice log
seth at icir.org
Tue Jun 4 11:01:06 PDT 2013
On Jun 4, 2013, at 7:14 AM, Paul Halliday <paul.halliday at gmail.com> wrote:
> What is the difference between id.orig_h, id.resp_h and src,dst?
Not much. :) I think the original intent behind them was that in cases where there is no obvious directionality (i.e. non-tcp) the src and dst fields would be used since they indicate the sender and receiver of an individual packet and don't represent a "connection". I've been using the src field for notices that only reference a single host too although ultimately I don't think that's a good thing. We should probably add a host field for cases where only a single host is being referred to in the notice.
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro