[Bro-Dev] [EXTERNAL] Re: [Bro] Logging VLAN IDs

Thomas, Eric D edthoma at sandia.gov
Thu May 7 14:17:52 PDT 2015

That sounds good! Both ideas seem to add an interesting level of
additional flexibility and analytic potential.
Eric Thomas
edthoma at sandia.gov

On 4/29/15, 4:59 PM, "Robin Sommer" <robin at broala.com> wrote:

>What if we did a combination of what I suggested and your thoughts
>here? We carry link-level features through to script-land inside the
>connection record, and in addition allowed to transfer a custom subset
>over to the connection ID for hashing? The latter could be done later
>as a second step.
>On Tue, Apr 28, 2015 at 18:32 +0000, you wrote:
>> Hi Robin,
>> I thought more about your generalized idea and would like to follow up.
>> start, adding link-level features to the connection ID hash, while
>> useful in some contexts, does not provide us the functionality we
>> I have an incoming feed of VLAN-tagged traffic (both VLAN and 802.1ah)
>> with perhaps dozens of different VLANs, and I would like to handle the
>> connections differently in scripts but also mainly in offline log
>> depending upon which VLANs the traffic is associated with.
>> Initially I had proposed simply adding the VLAN Ids to the conn.log
>> but that is certainly too specific of a solution. What are your thoughts
>> on exposing link-level features at the script layer for connections? For
>> example, if all observed VLAN tags for a connection were in a set
>> of the script-level Connection record, I could then label my data by
>> matching VLAN Ids, then process them differently accordingly. Thoughts?
>Robin Sommer * Broala, LLC * robin at broala.com * www.broala.com

More information about the bro-dev mailing list