[Bro] policy event engine
Seth Hall
seth at icir.org
Fri Jan 21 07:43:03 PST 2011
On Jan 21, 2011, at 10:36 AM, Yuriy wrote:
> Thank you for the quick reply,
> Can you understand me (at least briefly) what is the reason of "...the
> notion of time in Bro is driven forward by the packet timestamps...", why
> not internal clock?
I expect that it was an optimization, but you'll have to wait for a response from Robin or Vern to clarify that point.
> As I understood the only way to change such behavior (packet timestamps
> clock driven) is "If remote communication is enabled, the internal time will
> be clock driven...". Can one little detail, please?
If you load the listen-clear.bro script, that may make Bro drive off of the clock and not packet timestamps. This is where my comment about me not knowing whether an actual connection has to take place or not applies.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list