[Bro] conn.bro
Christian Kreibich
christian at whoop.org
Wed Aug 3 13:49:11 PDT 2005
On Wed, 2005-08-03 at 15:37 -0500, Mike Muratet wrote:
>
> > uhmmm is this using a recent Bro? On 0.9x record_connection() is only
> > triggered when a connection is expired, that is, from event
> > connection_state_remove(). Also, its signature is
> >
>
> No, it was 0.8. That was the verison I used to process all the data I had
> collected. I am using 0.9a as the server for broccoli, though. I am trying
> to reproduce exactly the fields from the bro processing of the tcpdump file
> in the broccoli interface. I think I've got it for the most part, although I
> am still chasing the basis for the is_tcp call.
Ah I see -- you want the equivalent of record_connection() in your
Broccoli client. I'd recommend modeling your code directly after 0.8's
record_connection()'s implementation.
On the Broccoli end, once you obtain a port as a pointer to a BroPort
structure, you can tell the transport layer type by looking at the
port_proto member. That should be all you need?
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list