That sounds good! Both ideas seem to add an interesting level of additional flexibility and analytic potential. -- Eric Thomas [email protected]
On 4/29/15, 4:59 PM, "Robin Sommer" <[email protected]> wrote: >What if we did a combination of what I suggested and your thoughts >here? We carry link-level features through to script-land inside the >connection record, and in addition allowed to transfer a custom subset >over to the connection ID for hashing? The latter could be done later >as a second step. > >Robin > >On Tue, Apr 28, 2015 at 18:32 +0000, you wrote: > >> Hi Robin, >> >> I thought more about your generalized idea and would like to follow up. >>To >> start, adding link-level features to the connection ID hash, while >>perhaps >> useful in some contexts, does not provide us the functionality we >>desire. >> I have an incoming feed of VLAN-tagged traffic (both VLAN and 802.1ah) >> with perhaps dozens of different VLANs, and I would like to handle the >> connections differently in scripts but also mainly in offline log >>analysis >> depending upon which VLANs the traffic is associated with. >> >> Initially I had proposed simply adding the VLAN Ids to the conn.log >>file, >> but that is certainly too specific of a solution. What are your thoughts >> on exposing link-level features at the script layer for connections? For >> example, if all observed VLAN tags for a connection were in a set >>variable >> of the script-level Connection record, I could then label my data by >> matching VLAN Ids, then process them differently accordingly. Thoughts? >> > > >-- >Robin Sommer * Broala, LLC * [email protected] * www.broala.com _______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
