[Bro] tx_hosts and rx_hosts in files.log
vlad at grigorescu.org
Sun May 31 14:35:40 PDT 2015
Thanks for the bug report. Looks like this comes from the assumption made
On Sat, May 30, 2015 at 2:16 PM, Ali Hadi <ali at ashemery.com> wrote:
> If you use the PCAP below and analyze it using Bro:
> Then when checking the files.log, the tx_hosts is supposed to show the
> host who transmitted the file, and rx_hosts is for the host who received
> the file based on Bro's documentation:
> If you do the following:
> cat files.log | bro-cut fuid tx_hosts rx_hosts | grep <ID OF THE LEAKED
> PDF FILE>
> You'll get that the TX Host IP (SrcIP) is 192.168.121.176 and
> not 192.168.121.179 !!!
> Is there something I'm doing wrong, or has bro switched their positions in
> the output?
> Thanks in advance,
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro