[Bro] http.log q.
johanna at icir.org
Fri Jan 12 08:55:34 PST 2018
If you take a look at the timestamps in the log that you posted you will
notice that the transaction depth value is in the correct order if you
sort the log by timestamp.
Bro log files are generally not guaranteed to be well-odered - though I am
admittedly not 100% sure without looking into the http scripts why the
http.log sent by a single worker would be reordered like that :)
I hope this helps,
On Wed, Jan 10, 2018 at 02:49:46PM -0800, Dk Jack wrote:
> In a cluster environment, in the HTTP log, for the same connection-id i.e
> same 4-tuple and UID, is it ok if the transaction depth field value is
> lower than the ten-depth of some of the lines that came before it? for
> example, I am seeing txns as shown below...
> 1515542375.578187 CGR1kN3pynC8a3GXK1 10.20.11.1 7867 10.20.11.120 9453
> 79 POST ...
> 1515542387.701328 CGR1kN3pynC8a3GXK1 10.20.11.1 7867 10.20.11.120 9453
> 90 POST ...
> 1515542354.674611 CGR1kN3pynC8a3GXK1 10.20.11.1 7867 10.20.11.120 9453
> 55 POST ...
> 1515542382.015911 CGR1kN3pynC8a3GXK1 10.20.11.1 7867 10.20.11.120 9453
> 85 POST ...
> Is this normal? What is the explanation. Thanks.
> Bro mailing list
> bro at bro-ids.org
More information about the Bro