[Bro] Summary Reports and service listing

Harry Hoffman hhoffman at ip-solutions.net
Fri Sep 20 06:48:45 PDT 2013

Hey Vlad,

It's udp and the traffic is syslog.

I have rsyslog listening on my network and traffic is making it from the
network devices to my syslog server so I don't think it's malformed.

Bro even has the syslog files in its log directory which is why I
thought it odd that things weren't being reported correctly.

Thoughts on where to look next?


On 09/20/2013 09:39 AM, Vlad Grigorescu wrote:
> The service field in conn.log (and in those summary reports) is the result of Bro's dynamic protocol detection (DPD). One of Bro's protocol analyzers has confirmed that the traffic seen is that protocol.
> If you look in conn.log, you should be able to see if the 514 traffic is TCP or UDP. Bro doesn't have a TCP syslog analyzer right now. If it's UDP, something is sending malformed syslog.
>   --Vlad
> On Sep 20, 2013, at 8:58 AM, Harry Hoffman <hhoffman at ip-solutions.net> wrote:
>> Hi All,
>> The summary reports that are emailed hourly contain service listings
>> (e.g. port 80 HTTP).
>> Are there processors that match the service to the port based upon
>> packets seen or is this just based off of /etc/services or the like?
>> I ask as syslog is being noted on port 514 but not being noted as syslog.
>> Cheers,
>> Harry
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list