[Bro] Bro bug?

Kellogg, Brian D (OLN) bkellogg at dresser-rand.com
Sun Jan 19 09:38:40 PST 2014


Here is the conn log entry for the other one:

1390143593.839386	C3miqNnYs6FBw74c5	3.3.3.3	4235	4.4.4.4	80	tcp	-	0.086147	1594489093	0	RSTOS0	T	0	SaR	2	88	1	40	(empty)	-	US	so -eth0

Thank you,
Brian Kellogg
Security Analyst; IT Governance, Risk, and Compliance
500 Paul Clark Drive, Olean,  NY 14760
T: (716) 375-3186 | F: (716) 375-3557


-----Original Message-----
From: Kellogg, Brian D (OLN) 
Sent: Sunday, January 19, 2014 12:34 PM
To: 'Justin Azoff'
Cc: 'bro at bro.org'
Subject: RE: [Bro] Bro bug?

SaR in the history field is in common for both of the erroneous email alerts I received today.


Thank you,
Brian Kellogg


-----Original Message-----
From: Kellogg, Brian D (OLN) 
Sent: Sunday, January 19, 2014 12:22 PM
To: 'Justin Azoff'
Cc: bro at bro.org
Subject: RE: [Bro] Bro bug?

1390143300.845103	Cma6473thsxripFj9k	1.1.1.1	3326	2.2.2.2	80	tcp	-	0.092641	1056737769	0	RSTOS0	T	0	SaR	2	88	1	40	(empty)	-	US	so-eth0

Thank you,
Brian Kellogg


-----Original Message-----
From: Justin Azoff [mailto:JAzoff at albany.edu] 
Sent: Sunday, January 19, 2014 12:09 PM
To: Kellogg, Brian D (OLN)
Cc: bro at bro.org
Subject: Re: [Bro] Bro bug?

On Sun, Jan 19, 2014 at 04:45:11PM +0000, Kellogg, Brian D (OLN) wrote:
> largeTx.bro alerts on any outgoing Txs over X bytes.  If of sufficient size it sends an email alert.
..
> I received an email alert saying that 1.1.1.1 transmitted over 1GB of information to 2.2.2.2.  Therefore I went to the FPC directory above to extract this communication to see what it was.  The extracted content was ~3.5MB in size. 


> Message: Orig transmitted 1056737769 bytes to resp.  Duration 0.092641 sec.  Connection UID Cma6473thsxripFj9k.

Can you post the full conn.log entry for this connection? That might help explain what is going on.

    grep Cma6473thsxripFj9k conn.log

should find the exact entry.


--
-- Justin Azoff




More information about the Bro mailing list