[Bro-Dev] semantics of ts field for known_services?
seth at icir.org
Wed Nov 30 20:06:39 PST 2011
On Nov 30, 2011, at 6:03 PM, Vern Paxson wrote:
> Is this field meant to capture when the determination was made that a given
> service is running somewhere? For a slice-trace I'm analyzing, I see it's
> on the ACK by the client of the first line sent back by the server. Not
> quite what I would expect, but also not necessarily any sort of issue.
The semantics of that field are a little fuzzy. If a protocol was detected, the field contains the time that the analyzer generated the ProtocolConfirmation. If no protocol was detected, a scheduled event is set for several minutes (I think 5 by default) so that Bro can wait and see if a better connection where a protocol is detected comes along before it goes to log the service. Hm, I guess the semantics are pretty clear, the ts field always contains the time when the log record was written. Determining why that happened when it did is a bit fuzzy.
International Computer Science Institute
(Bro) because everyone has a network
More information about the bro-dev