The connection references in the HTTP and FTP logs (lines with 'start' in them) are formatted differently:
%n for HTTP, #n for FTP
'start' near the beginning for HTTP, at the end for FTP
: separates IPs and ports for HTTP, / for FTP
The port in the HTTP log is numeric by default, and named for FTP
I haven't examined similar logs for other protocols yet. I'd like to suggest more consistency among protocol logs in the default .bro files distributed with the code.
Also, I'd like to suggest that the HTTP log include, where applicable, X-Forwarded-For information. Proxies are very pervasive at this point, so I'd guess that such information would be of extreme value for many. I suspect this has been suggested before, so perhaps there is some history that I don't know about.
Eric Thomas
edthoma@sandia.gov
The connection references in the HTTP and FTP logs (lines with 'start' in them) are formatted differently:
On the upside, both of those scripts are already rewritten for the next release and this is no longer a concern.
Also, I'd like to suggest that the HTTP log include, where applicable, X-Forwarded-For information
This information along with the output from several other headers that indicate proxied connection are included in the new script by default. 
. Proxies are very pervasive at this point, so I'd guess that such information would be of extreme value for many. I suspect this has been suggested before, so perhaps there is some history that I don't know about.
At the very least, even if that data wasn't extracted by default in the next release, it would be *extremely* easy to add it to the logs due to the new logging framework.
.Seth