[Bro-Dev] [EXTERNAL] Re: [Bro] Logging VLAN IDs

[Thomas, Eric D]

That sounds good! Both ideas seem to add an interesting level of
additional flexibility and analytic potential.
-- 
Eric Thomas
edthoma at sandia.gov




On 4/29/15, 4:59 PM, "Robin Sommer" <robin at broala.com> wrote:

>What if we did a combination of what I suggested and your thoughts
>here? We carry link-level features through to script-land inside the
>connection record, and in addition allowed to transfer a custom subset
>over to the connection ID for hashing? The latter could be done later
>as a second step.
>
>Robin
>
>On Tue, Apr 28, 2015 at 18:32 +0000, you wrote:
>
>> Hi Robin,
>> 
>> I thought more about your generalized idea and would like to follow up.
>>To
>> start, adding link-level features to the connection ID hash, while
>>perhaps
>> useful in some contexts, does not provide us the functionality we
>>desire.
>> I have an incoming feed of VLAN-tagged traffic (both VLAN and 802.1ah)
>> with perhaps dozens of different VLANs, and I would like to handle the
>> connections differently in scripts but also mainly in offline log
>>analysis
>> depending upon which VLANs the traffic is associated with.
>> 
>> Initially I had proposed simply adding the VLAN Ids to the conn.log
>>file,
>> but that is certainly too specific of a solution. What are your thoughts
>> on exposing link-level features at the script layer for connections? For
>> example, if all observed VLAN tags for a connection were in a set
>>variable
>> of the script-level Connection record, I could then label my data by
>> matching VLAN Ids, then process them differently accordingly. Thoughts?
>> 
>
>
>-- 
>Robin Sommer * Broala, LLC * robin at broala.com * www.broala.com