[Bro] question about bro alarm log

mel mel at hackinthebox.org
Wed Oct 3 10:07:41 PDT 2007


Hi,

I've noticed that for HTTP_SensitiveURI, there are at least two 
different types of log entries:

t=1190249317.414519 no=HTTP_SensitiveURI na=NOTICE_ALARM_ALWAYS 
sa=60.50.247.122 sp=37248/tcp da=58.215.65.113 dp=8000/tcp method=GET 
url=/announce?peer_id=-KT2100-359018798262&port=6881&uploaded=0&downloaded=0&left=33554432&compact=1&numwant=100&key=1458894583&event=started&info_hash=\xd0\x9c;\xd8\xe6z/V\xe8\x89\x9c^K\xc3\xe0?pL\x1b\xaef 
num=302 msg=60.50.247.122/37248\ >\ 58.215.65.113/8000\ %12:\ GET\ 
/announce?peer_id=-KT2100-359018798262&port=6881&uploaded=0&downloaded=0&left=33554432&compact=1&numwant=100&key=1458894583&event=started&info_hash=\\xd0\\x9c;\\xd8\\xe6z/V\\xe8\\x89\\x9c^K\\xc3\\xe0?pL\\x1b\\xaef\ 
(302\ "Found"\ [0]\ btfans.3322.org:8000) tag=@274

and

t=1190253817.786857 no=HTTP_SensitiveURI na=NOTICE_ALARM_ALWAYS 
sa=211.25.195.202 sp=46862/tcp da=60.50.247.122 dp=81/tcp method=GET 
url=/mro/favicon.ico num=404 msg=211.25.195.202/46862\ >\ 
60.50.247.88/81\ %13\ @290:\ GET\ /mro/favicon.ico\ (404\ "Not\ Found"\ 
[279]\ whatever.zapto.org:81) tag=@290

In the first line, inside msg:

60.50.247.122/37248\ >\ 58.215.65.113/8000\ %12:

while the second one:

211.25.195.202/46862\ >\ 60.50.247.88/81\ %13\ @290:

Why the difference?

--mel



More information about the Bro mailing list