[Bro-Dev] Portmapper logging
Gregor Maier
gregor at icir.org
Mon Dec 6 09:30:40 PST 2010
Hi,
I dug around and checked how portmapper.bro does logging, notices, and
interaction with other policy scripts. It seems that it
* "logs" activity by setting the "addl" field for conn.log
* creates NOTICEs for some activity
* modifies the services field for connections that have an RPC
service (e.g., NFS, ypserv, etc.)
See the attached file for details.
* The notices generation is very convoluted. I was wondering whether it
makes sense to clean that up. (the attached file at least documents
the behavior).
* I want to add an actual portmapper.log file to log portmapper
activity. If we have that, we wouldn't need the "addl" anymore. Is it
worth removing it? (Esp. wrt the new logging framework)
cu
gregor
--
Gregor Maier gregor at icir.org
Int. Computer Science Institute (ICSI) gregor at icsi.berkeley.edu
1947 Center St., Ste. 600 http://www.icir.org/gregor/
Berkeley, CA 94704
USA
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: portmapper-logging.txt
Url: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20101206/4faec88d/attachment.txt
More information about the bro-dev
mailing list