[Bro-Dev] $tag in notice_info
Seth Hall
seth at icir.org
Mon Mar 7 17:27:44 PST 2011
On Mar 7, 2011, at 5:58 PM, Gregor Maier wrote:
> ... hmm. This actually reminds me about our discussion about having
> unique connection IDs (e.g., 64bit ints) in bro, that can then be used
> to locate a connection across log files.
Oh yeah. What's your thought on this? Would you like to have that value print out along with the IP addresses and ports with the connection log and other logs?
I think we may be able to work something out with the logging framework that makes it a little easier to work with. I can imagine choosing to output that value instead of the 4-tuple for database logging since it should be easy to do the join to tie data back together. As I think about it, I'm liking that idea more and more. Especially if we can pull it off cleanly.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list