[Bro] "Faking" connections and http records
seth at icir.org
Fri Mar 22 13:54:29 PDT 2013
On Mar 22, 2013, at 4:04 PM, Jim Mellander <jmellander at LBL.GOV> wrote:
> Does anyone have suggestions on how to proceed with this?
It wouldn't work very well. :)
Nearly all of the detections rely on the various http_ events. I would go down a slightly different route with logs than I would with raw traffic. This is something that I've been talking about for quite a while and I suspect something related to happen in the next year.
I think it's really cool that you're importing logs into Bro!
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro