Hey, had a quick question about the connection information in the Software::Info structure.
>From what I can see in the source code / manual there seems to be only one side of the connection represented ( only "host" and "host_p" ). For what we are trying to do, we want the full connection to be logged. Just how HTTP for example records the originating / responding host / port. Since the Software::found function seems to take a connection as a parameter, would it be possible to pull c$id$orig_h, c$id$orig_p, c$id$resp_h, and c$id$resp_p fields out and pass them into this framework? Or is there some limitation that prevents those fields from being accessed? To access the information, I was thinking of adding two fields to the Software::Info record which would hold the other 2 values not represented by host and host_p - and then modify the Software::found calls in the SMTP, SSH, HTTP etc policies so that they pass along the additional information from their connection object. Does this seem like a reasonable approach or is there an easier way? Thanks, N. Siow
_______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
