[Bro-Dev] $tag in notice_info
Robin Sommer
robin at icir.org
Wed Mar 9 10:05:46 PST 2011
On Tue, Mar 08, 2011 at 10:37 -0800, you wrote:
> I don't think we have to go that far. However, I think that using
> 128bits might be helpful. We could then have a 64-bit counter and
> generate a 64bit Bro run-ID.
I'm not convinced we need the separate run-id. Note that while it
would allow to get all connections from the same run, it doesn't get
all the *logs* from the same run (because some logs may not have
connection-level semantics). That doesn't seem worth storing an
additional 64-bit value with every connection in almost every log to
me. Also, 128-bit is really long and ugly.
So I propose we go with a single 64-bit value that combines the run-id
and the conn-id into a likely unique value, something like in this
pseudo-code:
struct { uint64 run_id; uint64 conn_count } id;
id.run_id = md5(hostname, timeofday, pid);
id.conn_count = ++global_conn_counter;
uint64 unique_val = crc64(id);
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the bro-dev
mailing list