[Bro-Dev] conn.bro
Seth Hall
seth at icir.org
Tue May 3 12:57:19 PDT 2011
On May 3, 2011, at 3:37 PM, Robin Sommer wrote:
>> Isn't that what c$start_time is?
>
> Sorry, I wasn't clear: I prefer to have c$start_time *logged*.
It is. Do you want the field named "start_time"? I was just trying to keep consistency among those first several fields for all of the logs with the assumption that in each case the $ts field is the earliest evident activity for whatever the logged data is (initial request for http, first packet for conn, etc).
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list