[Bro-Dev] Unique connection ID for bro <-> logging framework
Seth Hall
seth at icir.org
Fri Dec 3 18:42:32 PST 2010
On Dec 3, 2010, at 9:35 PM, Gregor Maier wrote:
> I was wondering whether it would make sense to assign each connection an
> ID that's unique for this bro run. This ID can just be a 64-bit counter
> that gets incremented on every new connection.
That's an interesting idea.
> Why: If we add this ID to log outputs, it would be much easier to
> correlate activity across logs (e.g., find the connection in http.log,
> alarm.log, and conn.log, without having to match 5-tuples and timestamps)
My only question is under what circumstance you do that activity correlation activity within a single connection? I'm unable to think of a single time when I've needed to do something like that where I wasn't able to just search for the single IP address that I was interested in because I was interested in anything that IP address was referenced in and not just that single connection.
.Seth
More information about the bro-dev
mailing list