[Bro] conn.log history has letter 'Q'?

Seth Hall seth at icir.org
Fri Aug 21 06:49:11 PDT 2015


> On Aug 21, 2015, at 2:20 AM, 김희철 <hckim at narusec.com> wrote:
> 
> I	inconsistent packet (e.g. SYN+RST bits both set)

I don’t actually know what ‘I’ stands for, but it’s for fin/rst packets, not syn/rst (although that would also be viable as long as fin is also set)

> L	a  fin/rst 

I don’t believe that ‘L' is a valid flag for the history field.  Where did you find this?

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/




More information about the Bro mailing list