[Bro] Bro bug?
Kellogg, Brian D (OLN)
bkellogg at dresser-rand.com
Sun Jan 19 09:06:03 PST 2014
Yes and that is the intention. If you look at the email alert in the email you will see a report size of over 1GB and the Bro script only send emails on any Tx over 50MB.
Thank you,
Brian Kellogg
-----Original Message-----
From: John Green [mailto:john at giggled.org]
Sent: Sunday, January 19, 2014 12:01 PM
To: Kellogg, Brian D (OLN)
Subject: Re: [Bro] Bro bug?
Hi Brian,
Doesn't
const recordTx = 1024000;
# destination hosts to record if over this many bytes
alert on any transfer approximately > 1MB rather than 1GB?
Cheers
John
On 19 January 2014 16:45, Kellogg, Brian D (OLN) <bkellogg at dresser-rand.com> wrote:
> largeTx.bro alerts on any outgoing Txs over X bytes. If of sufficient size it sends an email alert.
>
> get.bash uses tshark to extract captured Security Onion FPC packets from /nsm/sensor_data/so-OLN-eth0/dailylogs/2014-01-19.
>
> I received an email alert saying that 1.1.1.1 transmitted over 1GB of information to 2.2.2.2. Therefore I went to the FPC directory above to extract this communication to see what it was. The extracted content was ~3.5MB in size.
>
> I've tested this with several large file uploads and have gotten consistent and accurate results with all tests. Therefore I'm confused as to how this alert was generated.
>
> Is this an intermittent bug possibly or am I not understanding something?
>
> The email alert I received from Bro 2.2 on Security Onion with all the latest patches is included as well. The duration is odd as well. I've received a handful of similar alerts for large transfers and very short durations.
>
>
> Thank you,
> Brian Kellogg
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list