[Bro] Differences between conn.log and known_services.log
vitologrillo at gmail.com
Thu Jan 8 01:45:43 PST 2015
thanks for your reply. Is it correct to say that the difference
between conn.log and known_services.log is that conn.log is based on a
real-time analysis and and known_services.log is based on a delayed
analysis?is it right or not?
Another question: if known_services identifies a service on a
addr/port, that information is later used by conn.log or not?
2015-01-07 18:41 GMT+01:00 Seth Hall <seth at icir.org>:
>> On Jan 7, 2015, at 10:17 AM, Vito Logrillo <vitologrillo at gmail.com> wrote:
>> conn.log and known_services.log have a field named "service":
>> sometimes this filed is empty in conn.log but in known_services.log is
> It’s due to what is actually being logged in both of those logs. conn.log has information per-connection so you can imagine that someone might connect to a host and not actually speak the protocol that the server speaks and we don’t detect any protocol. known_services.log is generally trying to figure out what protocol a host-port pair speaks and logs that. If no protocol is detected, we try to delay logging the fact that the port is held open in the hopes that a better connection will happen later.
> Make sense?
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
More information about the Bro