[Bro] Bro bug?
Kellogg, Brian D (OLN)
bkellogg at dresser-rand.com
Sun Jan 19 09:06:03 PST 2014
Yes and that is the intention. If you look at the email alert in the email you will see a report size of over 1GB and the Bro script only send emails on any Tx over 50MB.
From: John Green [mailto:john at giggled.org]
Sent: Sunday, January 19, 2014 12:01 PM
To: Kellogg, Brian D (OLN)
Subject: Re: [Bro] Bro bug?
const recordTx = 1024000;
# destination hosts to record if over this many bytes
alert on any transfer approximately > 1MB rather than 1GB?
On 19 January 2014 16:45, Kellogg, Brian D (OLN) <bkellogg at dresser-rand.com> wrote:
> largeTx.bro alerts on any outgoing Txs over X bytes. If of sufficient size it sends an email alert.
> get.bash uses tshark to extract captured Security Onion FPC packets from /nsm/sensor_data/so-OLN-eth0/dailylogs/2014-01-19.
> I received an email alert saying that 220.127.116.11 transmitted over 1GB of information to 18.104.22.168. Therefore I went to the FPC directory above to extract this communication to see what it was. The extracted content was ~3.5MB in size.
> I've tested this with several large file uploads and have gotten consistent and accurate results with all tests. Therefore I'm confused as to how this alert was generated.
> Is this an intermittent bug possibly or am I not understanding something?
> The email alert I received from Bro 2.2 on Security Onion with all the latest patches is included as well. The duration is odd as well. I've received a handful of similar alerts for large transfers and very short durations.
> Thank you,
> Brian Kellogg
> Bro mailing list
> bro at bro-ids.org
More information about the Bro