[Bro-Dev] Connection Compressor
sridhar basam
sri at basam.org
Mon Aug 15 10:48:22 PDT 2011
On Mon, Aug 15, 2011 at 1:29 PM, Seth Hall <seth at icir.org> wrote:
>
> On Aug 15, 2011, at 1:09 PM, Jim Mellander wrote:
>
> > We like setting record_state_history=T to record the flags that were seen
> during the connection, and found that the connection compressor didn't play
> nicely with that, in some cases.
>
> Sounds like more evidence for removing the conn compressor if possible.
> Also, state history is included in the new conn logs by default.
Not to pile on...
I disable the CC in some cases where i need better timing on connections.
With CC enabled, it discards some of the duplicate packets. I may be in the
minority though, I am not using Bro as an IDS. I use it as an analytical
tool in my case.
Sridhar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20110815/dbd31f42/attachment.html
More information about the bro-dev
mailing list