[Bro] deterministic uids
Frank Meier
franky.meier.1 at gmx.de
Mon Sep 21 07:09:06 PDT 2015
Hi!
Is there any reason why uids in bro are partly random and not just a
function
of the meta information of the flow? When I restart Bro with the same
pcap,
I have to make sure to set the seed file to get the same uids.
I would just compute a hash over time, source-host, source-port,
destination host,
destination port and protocol:
event new_connection(c: connection) {
c$uid = md5_hash(c$start_time, c$id$orig_h, c$id$orig_p, c$id$resp_h,
c$id$resp_p);
}
A disadvantage would be, that the length of the hash is not
configurable anymore.
Any ideas why this is a bad idea?
Thanks,
Franky
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150921/f7e7cd93/attachment.html
More information about the Bro
mailing list