[Bro-Dev] notice tags?

Clark, Gilbert gc355804 at ohio.edu
Thu Jun 2 11:55:27 PDT 2011

What about synchronizing a seed across the bro cluster, and using that seed to generate random() concatenated with 48 bits obtained from the machine (adapter Ethernet address?) to ensure the starting value was unique across the whole cluster?

From: bro-dev-bounces at bro-ids.org [bro-dev-bounces at bro-ids.org] On Behalf Of Seth Hall [seth at icir.org]
Sent: Thursday, June 02, 2011 1:58 PM
To: Vern Paxson
Cc: Bro Dev
Subject: Re: [Bro-Dev] notice tags?

On Jun 2, 2011, at 1:47 PM, Vern Paxson wrote:

>> If we had a random() BiF I think we could do it pretty easily in scripting land because we could just fmt() the output from the random() function and trim it to a certain length.
> I'm not sure that's as good.  We either need long tags, or have to start
> worrying about collisions.  (Though if we had formatting to something like
> radix-64, then we could probably get both short tags and almost no chance
> of collision.)

The random() data would only be used for a notice prefix.  I think we'd only generate the random ID at init time and then use an incrementing counter as a postfix for the full ID of each notice after that which is how it's done now.  The only chance we'd have for collisions would be in a cluster context between nodes generating notices.  Each node would never generate a conflict unless it managed to overflow a 64-bit int. :)


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

bro-dev mailing list
bro-dev at bro-ids.org

More information about the bro-dev mailing list