[Bro] Question about http.log and conn.log.
Johanna Amann
johanna at icir.org
Thu Dec 28 12:42:37 PST 2017
> (1)Why do some UID in http.log not correspond to conn.log UID?
This should not be possible - all connections in http.log should
(eventually) be logged in conn.log. Note that they do not necessarily have
to be logged with the same timestamp or even in the same logfile -
especially with long-loved connections.
> (2)Why may one conn.log UID correspond to many flows in HTTP.log?
The HTTP log does not contain flows but request. One HTTP connection can
have many request/reply pairs.
Johanna
More information about the Bro
mailing list