[Bro] "Faking" connections and http records

Seth Hall seth at icir.org
Fri Mar 22 13:54:29 PDT 2013

On Mar 22, 2013, at 4:04 PM, Jim Mellander <jmellander at LBL.GOV> wrote:

> Does anyone have suggestions on how to proceed with this?

It wouldn't work very well. :)

Nearly all of the detections rely on the various http_ events.  I would go down a slightly different route with logs than I would with raw traffic.  This is something that I've been talking about for quite a while and I suspect something related to happen in the next year.

I think it's really cool that you're importing logs into Bro!


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the Bro mailing list