[Bro] False positive
Christian Kreibich
christian at whoop.org
Fri Jul 22 12:08:13 PDT 2005
Hi there,
On Fri, 2005-07-22 at 14:35 -0300, Angelita de Cássia Corrêa wrote:
> Hi Jason,
>
> I need to understand more the alert, the definition of each column.
>
> In your example, could you explain me what each column means?
>
> Sep 18 06:51:41 0.153497 131.243.2.87 131.243.2.13 http 2077 80 tcp 66 239 RSTO X %14
> Sep 18 06:51:41 0.162454 131.243.2.87 131.243.2.13 http 2087 80 tcp 70 604 RSTO X %14
> Sep 18 06:51:42 0.153911 131.243.2.87 131.243.2.13 http 2100 80 tcp 80 604 RSTO X %14
> Sep 18 06:51:42 0.165501 131.243.2.87 131.243.2.13 http 2115 80 tcp 80 604 RSTO X %14
>
> Date/time: Sep 18 06:51:42
> Duration of de connection: 0.153497
> Origin IP: 131.243.2.87
> Victim IP: 131.243.2.13
> Victim Protocol: http
> ???: 2077
Source port.
> Victim Port: 80
> Transport Protocol: tcp
> ???: 66
Bytes sent by originator.
> ???: 239 *** (is this the alert SID0?)
Bytes sent by responder.
> ???: RSTO
Connection state:
http://www.bro-ids.org/Bro-reference-manual/Connection-summaries.html
> ???: X
Connection flags, see same URL.
> ???: %14
That's additional data as reported by the analyzer, in this case, the
HTTP analyzer. You can use these for correlation (a "primary key" of
sorts).
http://www.bro-ids.org/Bro-reference-manual/http-variables.html
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list