[Bro-Dev] $tag in notice_info

Seth Hall seth at icir.org
Tue Mar 8 08:14:00 PST 2011


On Mar 8, 2011, at 11:01 AM, Gregor Maier wrote:

> For notices that's true.
> I would like to have the same / a similar mechanism for other log files
> (e.g., http.log) as well.


That's what I'm working towards.  I'm not too concerned about disk space so I was thinking of just including the identifier alongside the connection 4-tuple in every log.  It would actually be kind of nice.  If someone is particularly concerned about it disk space issues in their environment, they'd be able to reconfigure the logging framework locally to either not include the 4-tuple or not include the connection identifier (or include neither if they're crazy).

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/




More information about the bro-dev mailing list