[Bro] Differences between conn.log and known_services.log

Seth Hall seth at icir.org
Wed Jan 7 09:41:10 PST 2015


> On Jan 7, 2015, at 10:17 AM, Vito Logrillo <vitologrillo at gmail.com> wrote:
> 
> conn.log and known_services.log have a field named "service":
> sometimes this filed is empty in conn.log but in known_services.log is
> not…Why?

It’s due to what is actually being logged in both of those logs.  conn.log has information per-connection so you can imagine that someone might connect to a host and not actually speak the protocol that the server speaks and we don’t detect any protocol.  known_services.log is generally trying to figure out what protocol a host-port pair speaks and logs that.  If no protocol is detected, we try to delay logging the fact that the port is held open in the hopes that a better connection will happen later.

Make sense?

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/




More information about the Bro mailing list