[Bro] tx_hosts and rx_hosts in files.log
ali at ashemery.com
Sat May 30 12:16:07 PDT 2015
If you use the PCAP below and analyze it using Bro:
Then when checking the files.log, the tx_hosts is supposed to show the host
who transmitted the file, and rx_hosts is for the host who received the
file based on Bro's documentation:
If you do the following:
cat files.log | bro-cut fuid tx_hosts rx_hosts | grep <ID OF THE LEAKED PDF
You'll get that the TX Host IP (SrcIP) is 192.168.121.176 and
not 192.168.121.179 !!!
Is there something I'm doing wrong, or has bro switched their positions in
Thanks in advance,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro