conn. uid

Zeek
1

Hi,
I am trying to include the uid that’s shown in conn.log in the log messages I generate from
my plugin. I want to do this so that I can correlate my log messages to the other log lines
generated in the other logs. After looking into the bro code a little, I came up with
the following based on EncapsulatingConn::EncapsulatingConn (src/TunnelEncapsulation.cc):

Bro::UID uid = c->GetUID();
if (!uid) {
uid.Set(bits_per_uid);
c->SetUID(uid);
uid = c->GetUID();
}
std::string uid_str = uid.Base62(“C”);

My plugin is based on tcp::TCP_ApplicationAnalyzer ‘c’ is of type ‘Connection’. Things seem to be working ok. I am getting a uid that looks similar to what I see in conn.log. However, there is one thing that’s a bit puzzling though. Not all the UIDs that show up in my log are present in the conn.log. What could be the reason for this? Would appreciate any insight into this. Thanks.

Dk.

2

If you were watching logs in real time, it could be that an entry just
has not been written to conn.log yet since those are generated when
connections end or are inactive for too long (5 mins is Bro's default
timeout for TCP).

Else, I'd try isolating an example pcap where you have something
logged in your custom log but not in conn.log then stepping through
with a debugger to find out what happens to the connections that are
missing from conn.log. And if you can provide such a pcap and a
minimal example plugin that shows the behavior, I can also help take a
look.

- Jon

3

Hi Jon,
Thanks for your insight. I think you and Mark are correct. I haven’t seen this when I use a pcap. I’ll continue to monitor. Thanks again.