[Bro] tx_hosts and rx_hosts in files.log

Ali Hadi ali at ashemery.com
Sat May 30 12:16:07 PDT 2015


If you use the PCAP below and analyze it using Bro:

Then when checking the files.log, the tx_hosts is supposed to show the host
who transmitted the file, and rx_hosts is for the host who received the
file based on Bro's documentation:

If you do the following:
cat files.log | bro-cut fuid tx_hosts rx_hosts | grep <ID OF THE LEAKED PDF

You'll get that the TX Host IP (SrcIP) is and
not !!!

Is there something I'm doing wrong, or has bro switched their positions in
the output?

​Thanks in advance,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150530/26f505d9/attachment.html 

More information about the Bro mailing list