[Bro] Quick question
seth at icir.org
Fri Mar 22 12:56:13 PDT 2013
On Mar 22, 2013, at 3:33 PM, James Lay <jlay at slave-tothe-box.net> wrote:
> 184.108.40.206 80 tcp HTTP::MD5 x.x.x.x
> What's this telling me? Usually there's something like Invalid Cert or
> something like that in the notice.log to tell me why it hit, just wasn't
> seeing the reason here. Thank you.
I *hate* that notice and it will be going away in the 2.2 release. The notice type is HTTP::MD5 in that line. It's a hold over from how I implemented file hashing originally back in 2007 or so. It should never have made it into a Bro release (let alone two!).
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro