policy/protocols/conn/known-hosts.bro
-
Known
This script logs hosts that Bro determines have performed complete TCP
handshakes and logs the address once per day (by default). The log that
is output provides an easy way to determine a count of the IP addresses in
use on a network per day.
Summary
Redefinitions
Log::ID: enum |
The known-hosts logging stream identifier. |
Detailed Interface
Options
-
Known::host_tracking
-
The hosts whose existence should be logged and tracked.
See Host for possible choices.
State Variables
-
Known::known_hosts
-
The set of all known addresses to store for preventing duplicate
logging of addresses. It can also be used from other scripts to
inspect if an address has been seen in use.
Maintain the list of known hosts for 24 hours so that the existence
of each individual address is logged each day.
Types
-
Known::HostsInfo
| Type: | record
- ts:
time &log
The timestamp at which the host was detected.
- host:
addr &log
The address that was detected originating or responding to a
TCP connection.
|
|---|
The record type which contains the column fields of the known-hosts log.
Events
-
Known::log_known_hosts
-
An event that can be handled to access the Known::HostsInfo
record as it is sent on to the logging framework.
