[Bro] Bro bug?
Kellogg, Brian D (OLN)
bkellogg at dresser-rand.com
Sun Jan 19 09:22:10 PST 2014
1390143300.845103 Cma6473thsxripFj9k 220.127.116.11 3326 18.104.22.168 80 tcp - 0.092641 1056737769 0 RSTOS0 T 0 SaR 2 88 1 40 (empty) - US so-eth0
From: Justin Azoff [mailto:JAzoff at albany.edu]
Sent: Sunday, January 19, 2014 12:09 PM
To: Kellogg, Brian D (OLN)
Cc: bro at bro.org
Subject: Re: [Bro] Bro bug?
On Sun, Jan 19, 2014 at 04:45:11PM +0000, Kellogg, Brian D (OLN) wrote:
> largeTx.bro alerts on any outgoing Txs over X bytes. If of sufficient size it sends an email alert.
> I received an email alert saying that 22.214.171.124 transmitted over 1GB of information to 126.96.36.199. Therefore I went to the FPC directory above to extract this communication to see what it was. The extracted content was ~3.5MB in size.
> Message: Orig transmitted 1056737769 bytes to resp. Duration 0.092641 sec. Connection UID Cma6473thsxripFj9k.
Can you post the full conn.log entry for this connection? That might help explain what is going on.
grep Cma6473thsxripFj9k conn.log
should find the exact entry.
-- Justin Azoff
More information about the Bro