[Bro] Bro bug?
Justin Azoff
JAzoff at albany.edu
Sun Jan 19 09:46:31 PST 2014
On Sun, Jan 19, 2014 at 05:22:10PM +0000, Kellogg, Brian D (OLN) wrote:
> 1390143300.845103 Cma6473thsxripFj9k 1.1.1.1 3326 2.2.2.2 80 tcp - 0.092641 1056737769 0 RSTOS0 T 0 SaR 2 88 1 40 (empty) - US so-eth0
So, with the field names, that is:
ts 1390143300.845103
uid Cma6473thsxripFj9k
id.orig_h 1.1.1.1
id.orig_p 3326
id.resp_h 2.2.2.2
id.resp_p 80
proto tcp
service -
duration 0.092641
orig_bytes 1056737769
resp_bytes 0
conn_state RSTOS0
local_orig T
missed_bytes 0
history SaR
orig_pkts 2
orig_ip_bytes 88
resp_pkts 1
resp_ip_bytes 40
Which shows that bro calculated that there were 1056737769 bytes based
on sequence numbers, but only actually saw 88 bytes.
I think simply changing $size to $num_bytes_ip will fix your problems.
--
-- Justin Azoff
-- Network Security & Performance Analyst
More information about the Bro
mailing list