[Bro] deterministic uids
Seth Hall
seth at icir.org
Mon Sep 21 08:57:29 PDT 2015
> On Sep 21, 2015, at 10:09 AM, Frank Meier <franky.meier.1 at gmx.de> wrote:
>
> Is there any reason why uids in bro are partly random and not just a function
> of the meta information of the flow? When I restart Bro with the same pcap,
> I have to make sure to set the seed file to get the same uids.
If there was no randomness in the uid creation, uids could be influenced by potential adversaries which could dramatically impact your analysis. As it is now, attackers shouldn’t be able to influence uids.
If you need determinism in them you can seed the random generator with either the BRO_SEED_FILE environment variable or with the command line option...
-J|--set-seed <seed> | set the random number seed
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list