[Bro] Connection UID repeat itself
Seth Hall
seth at icir.org
Tue Feb 7 11:45:36 PST 2012
On Feb 7, 2012, at 11:25 AM, Dave Angelo wrote:
> I registered on the SMTP::mime_end_entity event to inspect some SMTP traffic.
>
> I am printing the 'c$smtp$uid' to a log file and I noticed that once in a while the UID repeats itself.
Hopefully you're logging more than that since the uid value by itself it pretty useless. :)
> Why all those specific emails have the same UID?
That would mean that all of those emails were sent over the same TCP connection. UID values are a fairly arbitrary representation for a single connection. For instance, if two hosts establish a connection then shut it down and then establish a new connection using the exact same ports there would be a new UID value. It's primarily used as a very easy method of joining various log files together without having to match on the 2 IP addresses and 2 ports with the added benefit of distinguishing between connections reusing ports.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list