new bro "CURRENT" release - 0.8a57

Mark Dedlow mtdedlow at lbl.gov
Fri Dec 12 10:03:15 PST 2003


> - The format of Bro's connection summaries is changing.  The new format
>   looks like
> 
> 	  1069437569.904605 0.230644 1.2.3.4 5.6.7.8 http 59377 80 tcp 610 275 S3 L
> 
>   That is, <timestamp>, <duration>, <originator address>, <responder address>,
>   <service>, <originator port>, <responder port>, <originator bytes>,
>   <responder bytes>, <connection state>, <flags>.  (Robin Sommer)
> 
>   The script variable traditional_conn_format=T specifies to use the old
>   format rather than this new one.  This is *currently* the default, but
>   will change soon to default to F instead.  If you have comments on this
>   new format, we'd like to hear them.

The changes notes above don't mention the <addl> field.  Is that just
an oversight in the notes, or is it being droppped from the red log?

Will <service> still contain port numbers?  Or will "other-nnnnn" become
simply "other"?  (that would be my preference)

Although I don't know what the "neighbor net" U flag even means, I wonder
if this is the time to drop that, as the BRO manual says the whole notion
is historical.


Mark






More information about the Bro mailing list