[Bro-Dev] $tag in notice_info

Seth Hall seth at icir.org
Tue Mar 8 10:08:59 PST 2011


On Mar 8, 2011, at 11:37 AM, Robin Sommer wrote:

> I like switching from notice tags to a generic conn id used
> consistently across logs. My only request is that we make sure we can
> identify a connection uniqule even across Bro runs. Then one can just
> scan a whole log archive for a specific connection without needing to
> worry about when Bro started etc.


What do you think about using UUID/GUID?  I don't know about the overhead to create those values and they're probably quite a bit larger than we need (128-bits displayed as hex), but it would be interesting to be able to have unique values per run and per instance.  It'd end up being globally unique log identifiers. :)  The length would be pretty annoying though.

What sort of uniqueness are we aiming for here?  I don't think that was ever very clearly laid out in the previous thread.  With GUID we could do uniqueness for eternity (or close to it), but if we do something like hash the bytes for the $start_time timestamp and the 4-tuple that may be unique enough for most cases.  I don't know what the relative overheads would be for generating that hash or the GUID would be either which could be a concern.

  .Seth


More information about the bro-dev mailing list