[Bro-Dev] $tag in notice_info
Seth Hall
seth at icir.org
Mon Mar 7 13:47:56 PST 2011
On Mar 7, 2011, at 4:37 PM, Robin Sommer wrote:
> It uniquely identifies the NOTICE and can then be used at other
> locations to refer to it. The only use of it I recall right now is in
> conn.log: the relevant connection shows the tag in the addl field.
Ah, ok.
> I'm actually not sure how helpful having the tag is, I don't think
> I've ever used the tag but always grep for the 4-tuple right away.
That's sort of what I tend towards as well. My first inclination was to remove it since it's not used much. It should be possible to extend the connection logging with the logging framework to modularly add it back in later if someone wants to use it.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list