deterministic uids

Franky · September 21, 2015, 2:09pm

Hi!

Is there any reason why uids in bro are partly random and not just a function
of the meta information of the flow? When I restart Bro with the same pcap,
I have to make sure to set the seed file to get the same uids.

I would just compute a hash over time, source-host, source-port, destination host,
destination port and protocol:

event new_connection(c: connection) {
c$uid = md5_hash(c$start_time, c$id$orig_h, c$id$orig_p, c$id$resp_h, c$id$resp_p);
}

A disadvantage would be, that the length of the hash is not configurable anymore.

Any ideas why this is a bad idea?

Thanks,

Franky

Seth_Hall3 · September 21, 2015, 3:57pm

If there was no randomness in the uid creation, uids could be influenced by potential adversaries which could dramatically impact your analysis. As it is now, attackers shouldn’t be able to influence uids.

If you need determinism in them you can seed the random generator with either the BRO_SEED_FILE environment variable or with the command line option...
-J|--set-seed <seed> | set the random number seed

.Seth

Topic		Replies	Views
Question on file hashes and cyrmu db Zeek	7	81	May 6, 2022
Bro 2.5.5 Duplicate UIDs Zeek	1	58	May 6, 2022
Off-line analysis Zeek	1	49	May 6, 2022
Paper on Algorithmic Complexity Attacks Zeek	2	69	May 6, 2022
Devastating DoS attack on Bro via Algorithmic Complexity Attacks Zeek	1	77	May 6, 2022

deterministic uids

Related Topics