[Bro] File log
Seth Hall
seth at icir.org
Wed Oct 1 08:07:05 PDT 2014
On Oct 1, 2014, at 10:27 AM, Paul Halliday <paul.halliday at gmail.com> wrote:
> Good to know. Out of curiosity though, if the field is of little value then why even have it? (I have to deal with a trillion copies of '-')
For a little more explanation, I'll point to a mailing list post I did a while ago:
http://marc.info/?l=bro&m=139882790812212&w=2
I'm not sure that I'd say that the field is of little value though. It's actually pretty valuable, the only problem is that for the most frequently seen protocol in your files log (HTTP), filename are rarely made available. If you look at SMTP traffic, you will much more frequently see that attachments have filenames.
Also, for the upcoming SMB analyzer, filenames are always (or should always) be available.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list