[Bro-Dev] flipped connections?
Vern Paxson
vern at icir.org
Sun Jan 6 22:12:03 PST 2013
> Would it make sense for us to begin indicating if Bro "flipped" a
> connection in the conn.log?
I've have several thoughts on this. First, yes, flipping is an ongoing
source of problems due to errors that sometimes arise. Second, the right
way to solve this is using connection history.
That said, I think right now connection history lacks any indication of
just which host was first seen on a flow. I think that's needed to solve
this the correct way (i.e., using history).
> It seems to me like an additional
> boolean value in conn.log would be helpful to know if a connection was
> flipped or not.
I think the problem with this is knowing whether to view the information
as actionable or not (i.e., you still have to decide whether the flipping
was correct or erroneous). Doing it instead on history lets you make the
full decision yourself in your postprocessing.
Vern
More information about the bro-dev
mailing list