[Bro] TimeStamp of Bro output

keqhe at cs.wisc.edu keqhe at cs.wisc.edu
Fri Feb 8 15:04:57 PST 2013 

> Hi Robin and Vlad,
>
> according to the bro documentation,
> http://www.bro-ids.org/documentation/scripts/base/protocols/conn/main.html
>
> there is a 'uid' field in conn.log that is a unique flow identifier. Can
> we use uid to identify the same flow in conn.log and http.log/ssl.log?
> Timestamp is not suitable for flow identification.
The important info we want to know is that---there are more than
50,000,000 flows in the trace files. SO we are not sure whether uid filed
is really UNIQUE.
>
> Thanks!
>> Correct, and in particular log lines are explicitly not sorted by
>> time.
>>
>> Robin
>>
>> On Thu, Feb 07, 2013 at 22:31 +0000, Vlad Grigorescu wrote:
>>
>>> Hi,
>>>
>>> I believe what you're seeing is a result of how those timestamps are
>>> defined.
>>>
>>> In conn.log[1]: "This is the time of the first packet."
>>> In http.log[2]: "Timestamp for when the request happened."
>>>
>>> The conn record doesn't get written until the connection closes (or
>>> times out). It happens during the connection_state_remove[3] event. By
>>> handling it at connection close, you get duration, byte/packet counts,
>>> etc.
>>>
>>> Also, the times for when the first packet was seen, and when the actual
>>> HTTP request was seen can be slightly off.
>>>
>>> Does this line up with what you're seeing?
>>>
>>>   --Vlad
>>>
>>> [1] -
>>> <http://www.bro-ids.org/documentation/scripts/base/protocols/conn/main.html#type-Conn::Info>
>>> [2] -
>>> <http://www.bro-ids.org/documentation/scripts/base/protocols/http/main.html#type-HTTP::Info>
>>> [3] -
>>> <http://www.bro-ids.org/documentation/scripts/base/event.bif.html#id-connection_state_remove>
>>>
>>> On Feb 7, 2013, at 5:11 PM, <keqhe at cs.wisc.edu>
>>>  wrote:
>>>
>>> > HI Everyone,
>>> >
>>> > We observe that the flows'timestamps in Bro log file are not strcitly
>>> in
>>> > time order. Also we note that for the same flow, the timestamp in
>>> conn.log
>>> > and the timestamp in http.log are not the same. Does anyone notice
>>> the
>>> > problem before and have ideas on this?  Thanks!
>>> >
>>> > _______________________________________________
>>> > Bro mailing list
>>> > bro at bro-ids.org
>>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>> --
>> Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
>> ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org
>>
>
>

More information about the Bro mailing list