[Bro] Question on SSL logs

Raj Srinivasan raj at bivio.net
Fri Jul 8 12:29:17 PDT 2016


First, the background info... we are in the process of upgrading from Bro v2.3.2 to v2.4.1. The older version runs on a slower system which experiences more packet loss than the newer version, which is running on a faster system (which has mostly no loss at all). Both systems are seeing the same network traffic.

What we are seeing is that the SSL logs from v2.3.2 are consistently larger (by 20% to 25%) than the logs produced by v2.4.1. I see that there are a lot of improvements in the handling of SSL, and many that might actually impact log information, but we are unable to quantify how the logs are being affected even after a visual inspection of the logs. Is it reasonable to expect the new log files to be more compact (using the default SSL policies in both cases)? Just as a data point, the HTTP logs are comparable in size.

Would highly appreciate a response from the Bro SSL experts.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160708/87f86079/attachment.html 

More information about the Bro mailing list