[Bro] Bytes in conn.log is way to large

Vern Paxson vern at icir.org
Fri Nov 2 15:10:57 PDT 2007


> What about adding some sanity checks, so that the byte values are
> meaningful even if not using large-conns.bro? Otherwise one cannot rely
> at the byte values in conn.log at all.
> Maybe such checks could be:
> * a "maximum bandwidth" a connection must not exceed
> * require that bytes/packets are seen in both directions

These are reasonable features to add, but I don't think we'll give them much
priority ourselves.  (I.e., if you want to contribute it, we'll integrate it.)

		Vern



More information about the Bro mailing list