[Bro] Bro bug?
Kellogg, Brian D (OLN)
bkellogg at dresser-rand.com
Sun Jan 19 09:22:10 PST 2014
1390143300.845103 Cma6473thsxripFj9k 1.1.1.1 3326 2.2.2.2 80 tcp - 0.092641 1056737769 0 RSTOS0 T 0 SaR 2 88 1 40 (empty) - US so-eth0
Thank you,
Brian Kellogg
-----Original Message-----
From: Justin Azoff [mailto:JAzoff at albany.edu]
Sent: Sunday, January 19, 2014 12:09 PM
To: Kellogg, Brian D (OLN)
Cc: bro at bro.org
Subject: Re: [Bro] Bro bug?
On Sun, Jan 19, 2014 at 04:45:11PM +0000, Kellogg, Brian D (OLN) wrote:
> largeTx.bro alerts on any outgoing Txs over X bytes. If of sufficient size it sends an email alert.
..
> I received an email alert saying that 1.1.1.1 transmitted over 1GB of information to 2.2.2.2. Therefore I went to the FPC directory above to extract this communication to see what it was. The extracted content was ~3.5MB in size.
> Message: Orig transmitted 1056737769 bytes to resp. Duration 0.092641 sec. Connection UID Cma6473thsxripFj9k.
Can you post the full conn.log entry for this connection? That might help explain what is going on.
grep Cma6473thsxripFj9k conn.log
should find the exact entry.
--
-- Justin Azoff
More information about the Bro
mailing list