What if we did a combination of what I suggested and your thoughts here? We carry link-level features through to script-land inside the connection record, and in addition allowed to transfer a custom subset over to the connection ID for hashing? The latter could be done later as a second step.
Robin On Tue, Apr 28, 2015 at 18:32 +0000, you wrote: > Hi Robin, > > I thought more about your generalized idea and would like to follow up. To > start, adding link-level features to the connection ID hash, while perhaps > useful in some contexts, does not provide us the functionality we desire. > I have an incoming feed of VLAN-tagged traffic (both VLAN and 802.1ah) > with perhaps dozens of different VLANs, and I would like to handle the > connections differently in scripts but also mainly in offline log analysis > depending upon which VLANs the traffic is associated with. > > Initially I had proposed simply adding the VLAN Ids to the conn.log file, > but that is certainly too specific of a solution. What are your thoughts > on exposing link-level features at the script layer for connections? For > example, if all observed VLAN tags for a connection were in a set variable > of the script-level Connection record, I could then label my data by > matching VLAN Ids, then process them differently accordingly. Thoughts? > -- Robin Sommer * Broala, LLC * [email protected] * www.broala.com _______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
