[Bro] Question about http.log and conn.log.

Johanna Amann johanna at icir.org
Thu Dec 28 12:42:37 PST 2017

> (1)Why do some UID in http.log not correspond to conn.log UID?

This should not be possible - all connections in http.log should
(eventually) be logged in conn.log. Note that they do not necessarily have
to be logged with the same timestamp or even in the same logfile -
especially with long-loved connections.

> (2)Why may one conn.log UID correspond to many flows in HTTP.log?

The HTTP log does not contain flows but request. One HTTP connection can
have many request/reply pairs.


More information about the Bro mailing list