[Bro] Does Bro generate only one event for one network connection?
dnthayer at illinois.edu
Wed Aug 5 09:36:58 PDT 2015
It is possible for Bro to generate more than one event.
For example, it is possible for one UDP packet to generate
both "udp_reply" and "udp_contents" events.
Similarly, an HTTP request will cause Bro to generate an
"http_request" event and a "tcp_packet" event.
All of the Bro events are described in the documentation:
On 08/05/2015 08:12 AM, Nuyun Zhang wrote:
> Dear Bro team,
> I have a question about Bro. Does Bro generate only one event for
> one packet/connection? Or Bro will generate multiple events for one
> I have read the paper "Bro: A system for Decting Network Intruder
> in Real-time." The example showed Bro did generate a "Finger" event when
> the connection meet more conditions instead of a TCP_connection event.
> Is this always true?
> Nuyun Zhang (Nellie) Ph.D.
> Research Associate
> CCIT of Clemson University
More information about the Bro