[Bro-Dev] Portmapper logging
Seth Hall
seth at icir.org
Mon Dec 6 12:47:50 PST 2010
On Dec 6, 2010, at 3:44 PM, Vern Paxson wrote:
> I find that very surprising. At LBL, the conn logs are often of crucial
> forensic significance. One form of this comes up when an attacker sets
> up a backdoor on port XYZ, which will only appear in the conn logs. Another
> is when the activity involves a service for which there's no Bro analyzer.
Netflow logs. :) OSU being OSU, we tried to carefully maintain our archive of netflow.
.Seth
More information about the bro-dev
mailing list