[Bro] conn.bro
Mike Muratet
mike.muratet at torchtechnologies.com
Wed Aug 3 08:06:35 PDT 2005
Greetings
I have been doing some experiments with broccoli (thanks again, Christian)
and I'm trying to understand the differences between what I see in real time
from broccoli vis a vis some earlier work I did using bro -r a_tcpdump_file
conn.bro. Looking at the conn.bro policy, it looks like it records a
connection record for the events connection_attempt, _partial_close,
_finished, _half_finished, _rejected, and _reset, using
record_connection(connection_record, string). The string parameter denotes
the type of event, but this does not get printed. It does record a state as
part of the connection record which gives you an idea of what the event was
all about. Is my interpretation correct?
Thanks
Mike
More information about the Bro
mailing list