[Bro] smtp.log empty for long-running MTA capture

. . dn1nj4 at gmail.com
Mon Sep 23 02:29:35 PDT 2013


Hi list,

Is there a way to tell bro to generate log events (specifically smtp.log)
from partial sessions?

I have a system that periodically feeds packet capture files through bro in
order to generate its log data.  I recently discovered that much of my smtp
traffic was not showing up in the smtp.log.  The segment in question is
doing long-running bulk email transfers, resulting in the capture file
seldom having SYN or FIN flagged packets, only PUSH and ACK flags.  (This
is due to the capture file rotation time being shorter than the MTA
sessions).

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130923/14ab778c/attachment.html 


More information about the Bro mailing list