[Bro-Dev] Unique connection ID for bro <-> logging framework
Gregor Maier
gregor at icir.org
Mon Dec 6 09:29:24 PST 2010
BTW, the addl field in conn.log is sometimes used for something similar.
E.g., http.bro will create a unique ID for each HTTP-session and put
this session ID into the connections addl....
cu
gregor
On 12/3/10 18:35 , Gregor Maier wrote:
> Hi,
>
> I was wondering whether it would make sense to assign each connection an
> ID that's unique for this bro run. This ID can just be a 64-bit counter
> that gets incremented on every new connection.
>
> Why: If we add this ID to log outputs, it would be much easier to
> correlate activity across logs (e.g., find the connection in http.log,
> alarm.log, and conn.log, without having to match 5-tuples and timestamps)
>
> I think this would be a rather nice (and very easy to implement) feature.
>
> Cluster considerations: maybe add a nodeID or something to the
> connection ID. E.g., in the high-order 8 or 16 bits.
>
>
> Thoughts?
> Comments?
> cu
> Gregor
--
Gregor Maier gregor at icir.org
Int. Computer Science Institute (ICSI) gregor at icsi.berkeley.edu
1947 Center St., Ste. 600 http://www.icir.org/gregor/
Berkeley, CA 94704
USA
More information about the bro-dev
mailing list