[Bro] Differences between conn.log and known_services.log

Vito Logrillo vitologrillo at gmail.com
Thu Jan 8 01:45:43 PST 2015


Hi Seth,
thanks for your reply. Is it correct to say that the difference
between conn.log and known_services.log is that conn.log is based on a
real-time analysis and and known_services.log is based on a delayed
analysis?is it right or not?
Another question: if known_services identifies a service on a
addr/port, that information is later used by conn.log or not?
Thanks
Vito


2015-01-07 18:41 GMT+01:00 Seth Hall <seth at icir.org>:
>
>> On Jan 7, 2015, at 10:17 AM, Vito Logrillo <vitologrillo at gmail.com> wrote:
>>
>> conn.log and known_services.log have a field named "service":
>> sometimes this filed is empty in conn.log but in known_services.log is
>> not…Why?
>
> It’s due to what is actually being logged in both of those logs.  conn.log has information per-connection so you can imagine that someone might connect to a host and not actually speak the protocol that the server speaks and we don’t detect any protocol.  known_services.log is generally trying to figure out what protocol a host-port pair speaks and logs that.  If no protocol is detected, we try to delay logging the fact that the port is held open in the hopes that a better connection will happen later.
>
> Make sense?
>
>   .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>



More information about the Bro mailing list