[Bro-Dev] Unique connection ID for bro <-> logging framework
Gregor Maier
gregor at icir.org
Fri Dec 3 22:53:48 PST 2010
> Getting back to your question though, it's an interesting idea but I wonder if it will still be necessary once the "normal" logging output changes. At the very least, if you output tab separated value data, you should be able to do something like this....
>
> cat whatever.log | grep "1.2.3.4<tab>35231<tab>4.3.2.1<tab>80"
In general yes, as long as the 5-tuple isn't reused.
(I can basically do this right now, if I use awk to reorder the
connection-tuple so that I can grep for it. Might thought was that
having a single numeric ID might make life easier.)
> The binary log output may make that even easier too.
Being able to use grep, sed, awk, and co. is still very nice, so I'll
probably end up using a binary to ascii converter quite frequently.
cu
gregor
--
Gregor Maier gregor at icir.org
Int. Computer Science Institute (ICSI) gregor at icsi.berkeley.edu
1947 Center St., Ste. 600 http://www.icir.org/gregor/
Berkeley, CA 94704
USA
More information about the bro-dev
mailing list