new bro "CURRENT" release - 0.8a57
Mark Dedlow
mtdedlow at lbl.gov
Fri Dec 12 10:03:15 PST 2003
> - The format of Bro's connection summaries is changing. The new format
> looks like
>
> 1069437569.904605 0.230644 1.2.3.4 5.6.7.8 http 59377 80 tcp 610 275 S3 L
>
> That is, <timestamp>, <duration>, <originator address>, <responder address>,
> <service>, <originator port>, <responder port>, <originator bytes>,
> <responder bytes>, <connection state>, <flags>. (Robin Sommer)
>
> The script variable traditional_conn_format=T specifies to use the old
> format rather than this new one. This is *currently* the default, but
> will change soon to default to F instead. If you have comments on this
> new format, we'd like to hear them.
The changes notes above don't mention the <addl> field. Is that just
an oversight in the notes, or is it being droppped from the red log?
Will <service> still contain port numbers? Or will "other-nnnnn" become
simply "other"? (that would be my preference)
Although I don't know what the "neighbor net" U flag even means, I wonder
if this is the time to drop that, as the BRO manual says the whole notion
is historical.
Mark
More information about the Bro
mailing list