[Bro] Possible default policy improvements
edthoma
edthoma at sandia.gov
Thu Apr 21 08:26:56 PDT 2011
The connection references in the HTTP and FTP logs (lines with 'start' in them) are formatted differently:
%n for HTTP, #n for FTP
'start' near the beginning for HTTP, at the end for FTP
: separates IPs and ports for HTTP, / for FTP
The port in the HTTP log is numeric by default, and named for FTP
I haven't examined similar logs for other protocols yet. I'd like to suggest more consistency among protocol logs in the default .bro files distributed with the code.
Also, I'd like to suggest that the HTTP log include, where applicable, X-Forwarded-For information. Proxies are very pervasive at this point, so I'd guess that such information would be of extreme value for many. I suspect this has been suggested before, so perhaps there is some history that I don't know about.
Eric Thomas
edthoma at sandia.gov
More information about the Bro
mailing list