[Bro] Interesting observation with ssh on non-ssh port

James Lay jlay at slave-tothe-box.net
Wed Apr 2 13:11:45 PDT 2014


On 2014-04-02 14:08, Seth Hall wrote:
> On Apr 2, 2014, at 2:14 PM, James Lay <jlay at slave-tothe-box.net> 
> wrote:
>
>> but there's no trace of it in conn.log.  This obviously explains why 
>> I
>> couldn't get the large outbound transfer scripts working, but now 
>> I'm
>> curious...is there a reason why this TCP session doesn't show up in
>> conn.log?  Running bro 2.2...thank you.
>
> Did you close down the connection?  Bro doesn’t log anything until
> the connection ends.  In scripts though you could use the ConnPolling
> thing that Jon Siwek mentioned in another thread to monitor the
> connection in-flight.  Typically I don’t recommend relying on the log
> events except for very simple tasks.  Doing any sort of in-progress
> monitoring of connections is almost intrinsically not a simple task.
>
>   .SEth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/

Hi Seth,

I absolutely did.  I was originally scp'ing a file, then started to 
test with ssh'ing to the host and exiting out.  Is there a way to debug 
this?  I think I even compiled it for debugging :)

James



More information about the Bro mailing list