[Bro] huge weird.log/conn.log
vladg at illinois.edu
Thu Dec 1 08:14:25 PST 2016
Can you take a look at what weirds, specifically, you're getting?
> cat weird.log | bro-cut name| sort | uniq -c | sort -n
erik clark <philosnef at gmail.com> writes:
> I have two bro sensors. One is running 2.5, one is running 2.4.1. Both are
> running on the same link off the tap.
> The weird.log on the 2.5 box is 6 times bigger than the weird.log on the
> 2.4.1 log. Any idea why this might be? How can I troubleshoot this.
> My conn.log is 3 times bigger. For reference:
> conn.log -> 2.5 (45 minutes) 17 gig
> conn.log -> 2.4.1 (45 min) 5.5 gig
> weird.log -> 2.5 (45 minutes) 11 gig
> weird.log -> 2.4.1 (45 minutes) 1.2 gig
> These numbers seem to be WAY off. I have no idea how to even try and parse
> this to see what is going on.
> Packet loss on 2.4.1 is 6%
> Packet loss on 2.5 is 1%.
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161201/70f6610e/attachment.bin
More information about the Bro