[Bro] Possible default policy improvements
Seth Hall
seth at icir.org
Thu Apr 21 09:03:33 PDT 2011
On Apr 21, 2011, at 11:26 AM, edthoma wrote:
> The connection references in the HTTP and FTP logs (lines with 'start' in them) are formatted differently:
On the upside, both of those scripts are already rewritten for the next release and this is no longer a concern.
> Also, I'd like to suggest that the HTTP log include, where applicable, X-Forwarded-For information
This information along with the output from several other headers that indicate proxied connection are included in the new script by default. :)
> . Proxies are very pervasive at this point, so I'd guess that such information would be of extreme value for many. I suspect this has been suggested before, so perhaps there is some history that I don't know about.
At the very least, even if that data wasn't extracted by default in the next release, it would be *extremely* easy to add it to the logs due to the new logging framework.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list