[Bro] Log serial number in ssl.log
bobharrelsons at gmail.com
Thu Mar 30 08:11:19 PDT 2017
The workaround is working.
On Wed, Mar 29, 2017 at 6:52 PM, Robert Harrelson <bobharrelsons at gmail.com>
> Yes, I am running bro on an iMac having IP address 10.245.44.33 .
> I will try out the workarounds for ignoring checksums tomorrow, and let
> you know how it went. Let me know if you have any more advice, I am all
> Thank you so much!
> On Wed, Mar 29, 2017 at 5:44 PM, Azoff, Justin S <jazoff at illinois.edu>
>> > On Mar 29, 2017, at 5:38 PM, Robert Harrelson <bobharrelsons at gmail.com>
>> > Dear Justin,
>> > Sorry for that mistake. I may have mixed up the files. I just re-ran
>> bro and have copied below the results of ssl.log and conn.log.
>> > Thanks again for your help!
>> > --Robert
>> > conn.log
>> > #separator \x09
>> > #set_separator ,
>> > #empty_field (empty)
>> > #unset_field -
>> > #path conn
>> > #open 2017-03-29-17-27-40
>> > #fields ts uid id.orig_h id.orig_p
>> id.resp_h id.resp_p proto service duration
>> orig_bytes resp_bytes conn_state local_orig local_resp
>> missed_bytes history orig_pkts orig_ip_bytes resp_pkts
>> resp_ip_bytes tunnel_parents
>> > #types time string addr port addr port enum
>> string interval count count string bool bool count
>> string count count count count set[string]
>> > 1490822851.106865 Ckk89B3l4i616mbQx6 10.245.44.33 61486
>> 184.108.40.206 443 tcp - 12.846213 0 4118
>> SHR - - 0 ^hadf 0 0 9 4594
>> Ah yes... the hadf for all of your connection histories shows that Bro is
>> only seeing half of your connections
>> Are you running bro on 10.245.44.33 itself?
>> - Justin Azoff
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro