[Bro] Bro bug?

Kellogg, Brian D (OLN) bkellogg at dresser-rand.com
Sun Jan 19 09:06:03 PST 2014

Yes and that is the intention.  If you look at the email alert in the email you will see a report size of over 1GB and the Bro script only send emails on any Tx over 50MB.  

Thank you,
Brian Kellogg

-----Original Message-----
From: John Green [mailto:john at giggled.org] 
Sent: Sunday, January 19, 2014 12:01 PM
To: Kellogg, Brian D (OLN)
Subject: Re: [Bro] Bro bug?

Hi Brian,

        const recordTx = 1024000;
                 # destination hosts to record if over this many bytes

alert on any transfer approximately > 1MB rather than 1GB?


On 19 January 2014 16:45, Kellogg, Brian D (OLN) <bkellogg at dresser-rand.com> wrote:
> largeTx.bro alerts on any outgoing Txs over X bytes.  If of sufficient size it sends an email alert.
> get.bash uses tshark to extract captured Security Onion FPC packets from /nsm/sensor_data/so-OLN-eth0/dailylogs/2014-01-19.
> I received an email alert saying that transmitted over 1GB of information to  Therefore I went to the FPC directory above to extract this communication to see what it was.  The extracted content was ~3.5MB in size.
> I've tested this with several large file uploads and have gotten consistent and accurate results with all tests.  Therefore I'm confused as to how this alert was generated.
> Is this an intermittent bug possibly or am I not understanding something?
> The email alert I received from Bro 2.2 on Security Onion with all the latest patches is included as well.  The duration is odd as well.  I've received a handful of similar alerts for large transfers and very short durations.
> Thank you,
> Brian Kellogg
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list