[Bro] conn. uid

Jon Siwek jsiwek at corelight.com
Fri Jan 26 10:42:38 PST 2018


On Wed, Jan 24, 2018 at 7:18 PM, Dk Jack <dnj0496 at gmail.com> wrote:

> Not all the UIDs that show up in my log are present in the
> conn.log. What could be the reason for this?

If you were watching logs in real time, it could be that an entry just
has not been written to conn.log yet since those are generated when
connections end or are inactive for too long (5 mins is Bro's default
timeout for TCP).

Else, I'd try isolating an example pcap where you have something
logged in your custom log but not in conn.log then stepping through
with a debugger to find out what happens to the connections that are
missing from conn.log.  And if you can provide such a pcap and a
minimal example plugin that shows the behavior, I can also help take a
look.

- Jon


More information about the Bro mailing list