[Bro-Dev] Unique connection ID for bro <-> logging framework

Gregor Maier gregor at icir.org
Fri Dec 3 19:04:32 PST 2010


>> Why: If we add this ID to log outputs, it would be much easier to
>> correlate activity across logs (e.g., find the connection in http.log,
>> alarm.log, and conn.log, without having to match 5-tuples and timestamps)
> 
> My only question is under what circumstance you do that activity correlation activity within a single connection?  I'm unable to think of a single time when I've needed to do something like that where I wasn't able to just search for the single IP address that I was interested in because I was interested in anything that IP address was referenced in and not just that single connection.

Some examples:

* I want to count the number of HTTP request per connection

* I do per connection stats (e.g., number of packets, number of
  bytes, retransmissions, RTTs), store them in their own log files
  and then want to correlate with the conn.log or the http.log

* Easier debugging / analysis:
  I can just grep for the connectionID, instead of
  having to map between different connection formattings (e.g., notices
  have origIP:origPort -> respIP:respPort but when I want to grep for
  them in conn.log, I have to do some awk to get there)

* ...

I guess I have more a measurement point of view here....


cu
Gregor
-- 
Gregor Maier                                             gregor at icir.org
Int. Computer Science Institute (ICSI)          gregor at icsi.berkeley.edu
1947 Center St., Ste. 600                    http://www.icir.org/gregor/
Berkeley, CA 94704
USA



More information about the bro-dev mailing list