[Bro] Toggling traffic direction in reports/logs?
Eric Wages
ewages at colsa.com
Tue Dec 26 08:45:47 PST 2006
First off, I hope everyone had (is having) a happy holiday season.
I've finally got the daily Bro reporting mechanism working and
sending out emails as I expected. However, after letting it run for a
few days, I'm starting to notice something that's a little unusual.
The Bytes In/Bytes Out pair as well as the Local Host/Remote Host
pairs seem to be opposite.
For example, it will say something like:
Local
Remote Conn.
Local Host Remote Host Bytes
Bytes Count
----------------------- ----------------------- ---------
--------- -------
some.externalhost.com my.internalhost.com 1562 K 142902
2136
This is the exact opposite of what is the actual traffic pattern. Is
there a way that I can tell Bro that my /28 subnet is "local" and
everything else is "remote"? I don't seem to see anything like that
in the configuration files.
Thanks so much!
-Eric
Eric Wages
COLSA Corporation
Operations Manager, HMT ROC
256-721-0372, ext 110
More information about the Bro
mailing list