[Bro] conn. uid
dnj0496 at gmail.com
Fri Jan 26 10:47:46 PST 2018
Thanks for your insight. I think you and Mark are correct. I haven’t seen this when I use a pcap. I’ll continue to monitor. Thanks again.
> On Jan 26, 2018, at 10:42 AM, Jon Siwek <jsiwek at corelight.com> wrote:
>> On Wed, Jan 24, 2018 at 7:18 PM, Dk Jack <dnj0496 at gmail.com> wrote:
>> Not all the UIDs that show up in my log are present in the
>> conn.log. What could be the reason for this?
> If you were watching logs in real time, it could be that an entry just
> has not been written to conn.log yet since those are generated when
> connections end or are inactive for too long (5 mins is Bro's default
> timeout for TCP).
> Else, I'd try isolating an example pcap where you have something
> logged in your custom log but not in conn.log then stepping through
> with a debugger to find out what happens to the connections that are
> missing from conn.log. And if you can provide such a pcap and a
> minimal example plugin that shows the behavior, I can also help take a
> - Jon
More information about the Bro