[Bro] Bro bug?

Kellogg, Brian D (OLN) bkellogg at dresser-rand.com
Sun Jan 19 09:22:10 PST 2014

1390143300.845103	Cma6473thsxripFj9k	3326	80	tcp	-	0.092641	1056737769	0	RSTOS0	T	0	SaR	2	88	1	40	(empty)	-	US	so-eth0

Thank you,
Brian Kellogg

-----Original Message-----
From: Justin Azoff [mailto:JAzoff at albany.edu] 
Sent: Sunday, January 19, 2014 12:09 PM
To: Kellogg, Brian D (OLN)
Cc: bro at bro.org
Subject: Re: [Bro] Bro bug?

On Sun, Jan 19, 2014 at 04:45:11PM +0000, Kellogg, Brian D (OLN) wrote:
> largeTx.bro alerts on any outgoing Txs over X bytes.  If of sufficient size it sends an email alert.
> I received an email alert saying that transmitted over 1GB of information to  Therefore I went to the FPC directory above to extract this communication to see what it was.  The extracted content was ~3.5MB in size. 

> Message: Orig transmitted 1056737769 bytes to resp.  Duration 0.092641 sec.  Connection UID Cma6473thsxripFj9k.

Can you post the full conn.log entry for this connection? That might help explain what is going on.

    grep Cma6473thsxripFj9k conn.log

should find the exact entry.

-- Justin Azoff

More information about the Bro mailing list