deterministic uids


Is there any reason why uids in bro are partly random and not just a function
of the meta information of the flow? When I restart Bro with the same pcap,
I have to make sure to set the seed file to get the same uids.

I would just compute a hash over time, source-host, source-port, destination host,
destination port and protocol:

event new_connection(c: connection) {
c$uid = md5_hash(c$start_time, c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p);

A disadvantage would be, that the length of the hash is not configurable anymore.

Any ideas why this is a bad idea?



If there was no randomness in the uid creation, uids could be influenced by potential adversaries which could dramatically impact your analysis. As it is now, attackers shouldn’t be able to influence uids.

If you need determinism in them you can seed the random generator with either the BRO_SEED_FILE environment variable or with the command line option...
    -J|--set-seed <seed> | set the random number seed