[Bro] False positive

Angelita de Cássia Corrêa angelita at uol.com.br
Fri Jul 22 10:35:44 PDT 2005 

Hi Jason,

I need to understand more the alert, the definition of each column.

In your example, could you explain me what each column means?

Sep 18 06:51:41 0.153497 131.243.2.87 131.243.2.13 http 2077 80 tcp 66 239 RSTO X %14
Sep 18 06:51:41 0.162454 131.243.2.87 131.243.2.13 http 2087 80 tcp 70 604 RSTO X %14
Sep 18 06:51:42 0.153911 131.243.2.87 131.243.2.13 http 2100 80 tcp 80 604 RSTO X %14
Sep 18 06:51:42 0.165501 131.243.2.87 131.243.2.13 http 2115 80 tcp 80 604 RSTO X %14

Date/time: Sep 18 06:51:42 
Duration of de connection: 0.153497 
Origin IP: 131.243.2.87
Victim IP: 131.243.2.13 
Victim Protocol: http 
???: 2077
Victim Port: 80
Transport Protocol: tcp
???: 66
???: 239  *** (is this the alert SID0?)
???: RSTO
???: X
???: %14


Does the bro use SID to identify the alert description?


Thanks
Angelita



----- Original Message ----- 
From: "Jason Lee" <jrlee at lbl.gov>
To: "Angelita de Cássia Corrêa" <angelita at uol.com.br>
Sent: Tuesday, July 19, 2005 1:41 PM
Subject: Re: [Bro] False positive


> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Angelita,
> 
> The logs are already in a human readable format, and they should look
> something like (from a conn.log (with altered ips)):
> 
> 1000821101.824702 0.153497 131.243.2.87 131.243.2.13 http 2077 80 tcp 66 239 RSTO X %14
> 1000821101.979825 0.162454 131.243.2.87 131.243.2.13 http 2087 80 tcp 70 604 RSTO X %14
> 1000821102.143502 0.153911 131.243.2.87 131.243.2.13 http 2100 80 tcp 80 604 RSTO X %14
> 1000821102.299239 0.165501 131.243.2.87 131.243.2.13 http 2115 80 tcp 80 604 RSTO X %14
> 
> hf just resolves the hostnames in the file:
> % ./hf /tmp/foozer
> 1000821101.824702 0.153497 foobar wakko http 2077 80 tcp 66 239 RSTO X %14
> 1000821101.979825 0.162454 foobar wakko http 2087 80 tcp 70 604 RSTO X %14
> 1000821102.143502 0.153911 foobar wakko http 2100 80 tcp 80 604 RSTO X %14
> 1000821102.299239 0.165501 foobar wakko http 2115 80 tcp 80 604 RSTO X %14
> 
> and cf just changes the unix timestamp to a more readable format:
> % ./cf /tmp/foozer
> Sep 18 06:51:41 0.153497 131.243.2.87 131.243.2.13 http 2077 80 tcp 66 239 RSTO X %14
> Sep 18 06:51:41 0.162454 131.243.2.87 131.243.2.13 http 2087 80 tcp 70 604 RSTO X %14
> Sep 18 06:51:42 0.153911 131.243.2.87 131.243.2.13 http 2100 80 tcp 80 604 RSTO X %14
> Sep 18 06:51:42 0.165501 131.243.2.87 131.243.2.13 http 2115 80 tcp 80 604 RSTO X %14
> 
> the manual explains all the various flags and the format of the log files.
> 
> Cheers,
> jason
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.1 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
> 
> iD8DBQFC3S0u37vOcEqHLkARApnMAJ9MRFQuWpAt1F0LIdZSdoT68wwXJgCcCXCO
> xGzMSjIPdY6JsUw5doh04uI=
> =w4bS
> -----END PGP SIGNATURE-----
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20050722/298363c4/attachment.html

More information about the Bro mailing list