[Bro] smtp.log empty for long-running MTA capture
dn1nj4 at gmail.com
Mon Sep 23 02:29:35 PDT 2013
Is there a way to tell bro to generate log events (specifically smtp.log)
from partial sessions?
I have a system that periodically feeds packet capture files through bro in
order to generate its log data. I recently discovered that much of my smtp
traffic was not showing up in the smtp.log. The segment in question is
doing long-running bulk email transfers, resulting in the capture file
seldom having SYN or FIN flagged packets, only PUSH and ACK flags. (This
is due to the capture file rotation time being shorter than the MTA
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro