[Bro-Dev] Call for opinions on logging framework syntax problem

Seth Hall seth at icir.org
Tue Nov 29 20:24:31 PST 2011

On Nov 29, 2011, at 11:06 PM, Bernhard Amann wrote:

> When adding the protocol directly to the port information, the log line would e.g. look like
> 53/udp,80/tcp,8080/tcp

This is definitely one place where the email I just sent breaks down.  It's the port value used outside of the context of a conn_id value.  Do you have a concrete example of when you'd want to do something like this?  I suspect that if you wanted to do that it would actually be better to organize your data in a different way.  Like this:

#fields host	port	proto	53	udp	80	tcp	8080	tcp


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20111129/978e7bd4/attachment.bin 

More information about the bro-dev mailing list