[Bro-Dev] Unique connection ID for bro <-> logging framework
Gregor Maier
gregor at icir.org
Fri Dec 3 18:35:34 PST 2010
Hi,
I was wondering whether it would make sense to assign each connection an
ID that's unique for this bro run. This ID can just be a 64-bit counter
that gets incremented on every new connection.
Why: If we add this ID to log outputs, it would be much easier to
correlate activity across logs (e.g., find the connection in http.log,
alarm.log, and conn.log, without having to match 5-tuples and timestamps)
I think this would be a rather nice (and very easy to implement) feature.
Cluster considerations: maybe add a nodeID or something to the
connection ID. E.g., in the high-order 8 or 16 bits.
Thoughts?
Comments?
cu
Gregor
--
Gregor Maier gregor at icir.org
Int. Computer Science Institute (ICSI) gregor at icsi.berkeley.edu
1947 Center St., Ste. 600 http://www.icir.org/gregor/
Berkeley, CA 94704
USA
More information about the bro-dev
mailing list