> On Aug 2, 2016, at 6:03 PM, Slagell, Adam J wrote:
>
> Wow. Big difference
Indeed :-) I realized one of the bigger issues in the sumstats based code is
not really the detection of scans, but what happens AFTER the detection. After
detection it keeps accumulating data, or possibly only sl
I took a closer look at scan-NG and at the scan.bro that shipped with 1.5 to
understand how the detection could be better than what we have now. 1.5 wasn't
fundamentally better, but compared to what we are doing now it has an unfair
advantage :-)
I found that it used tables like this:
globa
