[Bro] conn.bro
Christian Kreibich
christian at whoop.org
Wed Aug 3 13:30:21 PDT 2005
Hi Mike,
On Wed, 2005-08-03 at 10:06 -0500, Mike Muratet wrote:
> Greetings
>
> I have been doing some experiments with broccoli (thanks again, Christian)
> and I'm trying to understand the differences between what I see in real time
> from broccoli vis a vis some earlier work I did using bro -r a_tcpdump_file
> conn.bro. Looking at the conn.bro policy, it looks like it records a
> connection record for the events connection_attempt, _partial_close,
> _finished, _half_finished, _rejected, and _reset, using
> record_connection(connection_record, string).
uhmmm is this using a recent Bro? On 0.9x record_connection() is only
triggered when a connection is expired, that is, from event
connection_state_remove(). Also, its signature is
function record_connection(f: file, c: connection)
> The string parameter denotes
> the type of event, but this does not get printed. It does record a state as
> part of the connection record which gives you an idea of what the event was
> all about. Is my interpretation correct?
Yes, record_connection() prints a summary of the connection's lifetime,
including a short summary of how Bro thinks it got created, torn down,
etc. See
http://www.bro-ids.org/Bro-reference-manual/Connection-summaries.html
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list