[Bro-Dev] Unique connection ID for bro <-> logging framework
Gregor Maier
gregor at icir.org
Fri Dec 3 19:04:32 PST 2010
>> Why: If we add this ID to log outputs, it would be much easier to
>> correlate activity across logs (e.g., find the connection in http.log,
>> alarm.log, and conn.log, without having to match 5-tuples and timestamps)
>
> My only question is under what circumstance you do that activity correlation activity within a single connection? I'm unable to think of a single time when I've needed to do something like that where I wasn't able to just search for the single IP address that I was interested in because I was interested in anything that IP address was referenced in and not just that single connection.
Some examples:
* I want to count the number of HTTP request per connection
* I do per connection stats (e.g., number of packets, number of
bytes, retransmissions, RTTs), store them in their own log files
and then want to correlate with the conn.log or the http.log
* Easier debugging / analysis:
I can just grep for the connectionID, instead of
having to map between different connection formattings (e.g., notices
have origIP:origPort -> respIP:respPort but when I want to grep for
them in conn.log, I have to do some awk to get there)
* ...
I guess I have more a measurement point of view here....
cu
Gregor
--
Gregor Maier gregor at icir.org
Int. Computer Science Institute (ICSI) gregor at icsi.berkeley.edu
1947 Center St., Ste. 600 http://www.icir.org/gregor/
Berkeley, CA 94704
USA
More information about the bro-dev
mailing list