[Bro] Summary Reports and service listing
vladg at cmu.edu
Fri Sep 20 06:39:55 PDT 2013
The service field in conn.log (and in those summary reports) is the result of Bro's dynamic protocol detection (DPD). One of Bro's protocol analyzers has confirmed that the traffic seen is that protocol.
If you look in conn.log, you should be able to see if the 514 traffic is TCP or UDP. Bro doesn't have a TCP syslog analyzer right now. If it's UDP, something is sending malformed syslog.
On Sep 20, 2013, at 8:58 AM, Harry Hoffman <hhoffman at ip-solutions.net> wrote:
> Hi All,
> The summary reports that are emailed hourly contain service listings
> (e.g. port 80 HTTP).
> Are there processors that match the service to the port based upon
> packets seen or is this just based off of /etc/services or the like?
> I ask as syslog is being noted on port 514 but not being noted as syslog.
> Bro mailing list
> bro at bro-ids.org
More information about the Bro