[Bro] Question on SSL logs

Johanna Amann johanna at icir.org
Fri Jul 8 12:54:44 PDT 2016


Hello Raj,

on the top of my head, I am not aware of any reason why the 2.4.1 SSL logs
should be more compact then the 2.3.2 logs; if anything, they should be
larger.

There were some changes to make the logs more compact, but thost were from
2.2 to 2.3; in these cases, a better metric would be the number of lines.

In any case if you can potentially take a small sample of your traffic and
run both 2.3.2 and 2.4.1 against it, and notice any changes (especially
missing lines in 2.4.1), I would appreciate it you could let me know.

Johanna

On Fri, Jul 08, 2016 at 07:29:17PM +0000, Raj Srinivasan wrote:
> Hello,
> 
> First, the background info... we are in the process of upgrading from Bro v2.3.2 to v2.4.1. The older version runs on a slower system which experiences more packet loss than the newer version, which is running on a faster system (which has mostly no loss at all). Both systems are seeing the same network traffic.
> 
> What we are seeing is that the SSL logs from v2.3.2 are consistently larger (by 20% to 25%) than the logs produced by v2.4.1. I see that there are a lot of improvements in the handling of SSL, and many that might actually impact log information, but we are unable to quantify how the logs are being affected even after a visual inspection of the logs. Is it reasonable to expect the new log files to be more compact (using the default SSL policies in both cases)? Just as a data point, the HTTP logs are comparable in size.
> 
> Would highly appreciate a response from the Bro SSL experts.
> 
> Thanks!
> Raj
> 

> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro



More information about the Bro mailing list