[Bro] conn. uid

Dk Jack dnj0496 at gmail.com
Fri Jan 26 10:47:46 PST 2018


Hi Jon,
Thanks for your insight. I think you and Mark are correct. I haven’t seen this when I use a pcap. I’ll continue to monitor. Thanks again. 



> On Jan 26, 2018, at 10:42 AM, Jon Siwek <jsiwek at corelight.com> wrote:
> 
>> On Wed, Jan 24, 2018 at 7:18 PM, Dk Jack <dnj0496 at gmail.com> wrote:
>> 
>> Not all the UIDs that show up in my log are present in the
>> conn.log. What could be the reason for this?
> 
> If you were watching logs in real time, it could be that an entry just
> has not been written to conn.log yet since those are generated when
> connections end or are inactive for too long (5 mins is Bro's default
> timeout for TCP).
> 
> Else, I'd try isolating an example pcap where you have something
> logged in your custom log but not in conn.log then stepping through
> with a debugger to find out what happens to the connections that are
> missing from conn.log.  And if you can provide such a pcap and a
> minimal example plugin that shows the behavior, I can also help take a
> look.
> 
> - Jon



More information about the Bro mailing list