[Bro-Dev] Portmapper logging
Vern Paxson
vern at icir.org
Mon Dec 6 12:44:53 PST 2010
> I would really like to see any activity logs for policy scripts moved
> out into their own logs.
I like that notion too. (But still with the don't-fix-what's-not-broke
model of prioritization.)
> At OSU for instance, we didn't even keep the conn.log (we closed the log
> file) because it was mostly repetitive data that we didn't get much benefit
> from keeping.
I find that very surprising. At LBL, the conn logs are often of crucial
forensic significance. One form of this comes up when an attacker sets
up a backdoor on port XYZ, which will only appear in the conn logs. Another
is when the activity involves a service for which there's no Bro analyzer.
Vern
More information about the bro-dev
mailing list