[Bro-Dev] [Bro-Commits] [git/bro] topic/robin/conn-ids: Extending conn_id with a globally unique identifiers. (881071c)

Robin Sommer robin at icir.org
Wed Mar 16 09:32:13 PDT 2011


On Wed, Mar 16, 2011 at 12:02 -0400, you wrote:

> I guess direct comparisons aren't really done that frequently, but
> table and set lookups are done all the time.  Would it affect table
> and set lookups to have the extra string to compare?

One could now actually use the uid as the table index ... However,
that wouldn't be as intuitive as using the whole conn_id and I don't
think I want to advocate that.

However, here's disruptive alternative: we could move
{orig,resp}{_h,_p} into the connection record and then use the unique
identifier as the "id" directly ... (Wouldn't do the automatic logging
of both though). 

>  It shouldn't affect lookup time much (or any) should it?

It could a little bit but nothing signficant I'd guess (but always
hard to say).

> It also gives us the option for changing the default filter to remove
> either the 4-tuple or the unique string so that sites could choose
> globally what shows up in their logs if they are just running the
> default filters.

Assuming fields are named consistenly, that would also work if the uid
were explicitly inlcuded into the log record. 


So, I'm fine going either way, conn_id or connection.

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org


More information about the bro-dev mailing list