[Bro-Dev] Unique connection ID for bro <-> logging framework
Gregor Maier
gregor at icir.org
Fri Dec 10 11:06:53 PST 2010
> - however, I think there'd need to be one more piece to that story:
> the IDs should be unique across Bro runs. Otherwise crunching
> information from a big log archive woulnd't be much better than it
> is today. But that would probably mean we'd need to go beyond
> 64-bit integers, perhaps to a string prefixed with something likely
> to be unique.
We can probably keep a 64 bit counter internally and also add a
bro_instance_ID, that's globally unique across Bro runs. For logging, we
can then log the 64 bit counter and the instance_ID, or concatenate the
two (I would guess that the instance_ID will be handy in other
situations too). Doesn't the cluster already have/need something like that?
In order to generate such an instance_ID, we could:
a) make sure it's truly globally unique, e.g., by using a
cryptographically secure, long (128 bit, maybe even 160 or more)
random number. Possibly from an entropy pool (can we use OpenSSL for
that?)
b) the user supplies a "hostID", we can then add time and PID
and hash all that together to get the instance ID, e.g.,
md5(hostID + PID + gettimeofday())
(this should probably be fairly tolerant even if the hostID gets
reused across machines).
cu
Gregor
--
Gregor Maier gregor at icir.org
Int. Computer Science Institute (ICSI) gregor at icsi.berkeley.edu
1947 Center St., Ste. 600 http://www.icir.org/gregor/
Berkeley, CA 94704
USA
More information about the bro-dev
mailing list