[Bro-Dev] Call for opinions on logging framework syntax problem
Bernhard Amann
bernhard at ICSI.Berkeley.EDU
Tue Nov 29 21:19:50 PST 2011
No, I have no real concrete example… I just tried to think of things people might perhaps want to do. And the use-case of having a set of ports for one IP did not seem too far fetched.
Bernhard
On Nov 29, 2011, at 8:24 PM, Seth Hall wrote:
>
> On Nov 29, 2011, at 11:06 PM, Bernhard Amann wrote:
>
>> When adding the protocol directly to the port information, the log line would e.g. look like
>>
>> 12.12.12.12 53/udp,80/tcp,8080/tcp
>
>
> This is definitely one place where the email I just sent breaks down. It's the port value used outside of the context of a conn_id value. Do you have a concrete example of when you'd want to do something like this? I suspect that if you wanted to do that it would actually be better to organize your data in a different way. Like this:
>
> #fields host port proto
> 12.12.12.12 53 udp
> 12.12.12.12 80 tcp
> 12.12.12.12 8080 tcp
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
More information about the bro-dev
mailing list