[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: Re: [Bro] Questions about Bro Capabilities
From: Nicholas Weaver <nweaver () ICSI ! Berkeley ! EDU>
Date: 2007-10-04 15:07:42
Message-ID: 20071004150742.GA3276 () kona ! ICSI ! Berkeley ! EDU
[Download RAW message or body]
On Thu, Oct 04, 2007 at 11:03:07AM -0400, Reed Porada composed:
> >Does this make any sense?
>
> In general I understand what you and Nick have proposed. I do not
> know how to get the flow-ids out. Are the http_request_stream$id's
> unique? One thing that was suggested by a co-worker after looking at
> the output, is that we have a timestamp, src ip/port, dst ip/port.
> In general within a pcap that is sufficient for identifying a packet,
> my guess as to why you have not suggested this option is that the
> network_time() that is being used in output does not relate to the
> stream. Is there anyway to get that to have a closer correlation to
> the stream? I am also curious as to how to interpret the output from
> http-body. What does each printout from http_entity_data events
> represent? Is it a new packet, or an update to the stream that could
> be the sum of an arbitrary number of packets?
with most hosts, the 5-tuple should be unique (SRC ip/port,DST
ip/port,proto). So just record the 5-tuple of anything to exclude in
a file, and then use that file in the second pass to filter out those
connections.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic