[Bro-Dev] Portmapper logging

Gregor Maier gregor at icir.org
Mon Dec 6 09:30:40 PST 2010


Hi,

I dug around and checked how portmapper.bro does logging, notices, and
interaction with other policy scripts. It seems that it
 * "logs" activity by setting the "addl" field for conn.log
 * creates NOTICEs for some activity
 * modifies the services field for connections that have an RPC
   service (e.g., NFS, ypserv, etc.)

See the attached file for details.

* The notices generation is very convoluted. I was wondering whether it
  makes sense to clean that up. (the attached file at least documents
  the behavior).

* I want to add an actual portmapper.log file to log portmapper
  activity. If we have that, we wouldn't need the "addl" anymore. Is it
  worth removing it? (Esp. wrt the new logging framework)


cu
gregor
-- 
Gregor Maier                                             gregor at icir.org
Int. Computer Science Institute (ICSI)          gregor at icsi.berkeley.edu
1947 Center St., Ste. 600                    http://www.icir.org/gregor/
Berkeley, CA 94704
USA
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: portmapper-logging.txt
Url: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20101206/4faec88d/attachment.txt 


More information about the bro-dev mailing list