[Bro] Question about fields in the notice log
Scott Runnels
srunnels at gmail.com
Tue Jun 4 06:55:46 PDT 2013
Hi Paul,
src and dst are used if there isn't a connection id.
source:
http://www.bro.org/sphinx-git/scripts/base/frameworks/notice/main.html#type-Notice::Info
src: addr <http://www.bro.org/sphinx-git/scripts/builtins.html#type-addr>
&log <http://www.bro.org/sphinx-git/scripts/builtins.html#attr-&log>
&optional<http://www.bro.org/sphinx-git/scripts/builtins.html#attr-&optional>
Source address, if we don’t have a
conn_id<http://www.bro.org/sphinx-git/scripts/base/init-bare.html#type-conn_id>
.
dst: addr <http://www.bro.org/sphinx-git/scripts/builtins.html#type-addr>
&log <http://www.bro.org/sphinx-git/scripts/builtins.html#attr-&log>
&optional<http://www.bro.org/sphinx-git/scripts/builtins.html#attr-&optional>
Destination address.
Scott Runnels
On Tue, Jun 4, 2013 at 7:14 AM, Paul Halliday <paul.halliday at gmail.com>wrote:
> What is the difference between id.orig_h, id.resp_h and src,dst?
>
> --
> Paul Halliday
> http://www.pintumbler.org/
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130604/1c689cb4/attachment.html
More information about the Bro
mailing list