[Bro] Bro bug?
Kellogg, Brian D (OLN)
bkellogg at dresser-rand.com
Sun Jan 19 10:25:48 PST 2014
Ah, thank you for the clarification. I was obvsiously misunderstanding how that field was calculated.
Thank you,
Brian Kellogg
-----Original Message-----
From: Justin Azoff [mailto:JAzoff at albany.edu]
Sent: Sunday, January 19, 2014 12:47 PM
To: Kellogg, Brian D (OLN)
Cc: bro at bro.org
Subject: Re: [Bro] Bro bug?
On Sun, Jan 19, 2014 at 05:22:10PM +0000, Kellogg, Brian D (OLN) wrote:
> 1390143300.845103 Cma6473thsxripFj9k 1.1.1.1 3326 2.2.2.2 80 tcp - 0.092641 1056737769 0 RSTOS0 T 0 SaR 2 88 1 40 (empty) - US so-eth0
So, with the field names, that is:
ts 1390143300.845103
uid Cma6473thsxripFj9k
id.orig_h 1.1.1.1
id.orig_p 3326
id.resp_h 2.2.2.2
id.resp_p 80
proto tcp
service -
duration 0.092641
orig_bytes 1056737769
resp_bytes 0
conn_state RSTOS0
local_orig T
missed_bytes 0
history SaR
orig_pkts 2
orig_ip_bytes 88
resp_pkts 1
resp_ip_bytes 40
Which shows that bro calculated that there were 1056737769 bytes based on sequence numbers, but only actually saw 88 bytes.
I think simply changing $size to $num_bytes_ip will fix your problems.
--
-- Justin Azoff
-- Network Security & Performance Analyst
More information about the Bro
mailing list