[Bro] Interesting intel.log issue
James Lay
jlay at slave-tothe-box.net
Mon Oct 13 13:19:29 PDT 2014
Topic says it...for the most part most of my intel.log looks like:
1413230008.288997 CV0p4G1epvXb4Cagma x.x.x.x 41918
50.63.40.1 80 - - - 50.63.40.1
Intel::ADDR Conn::IN_RESP alienvault
1413230008.357789 CR6AUc3tAVZKpxue2c x.x.x.x 38068
50.63.40.1 80 - - - 50.63.40.1
Intel::ADDR Conn::IN_RESP alienvault
1413230267.919296 C4AHVH2Y7UUpTBbl2 x.x.x.x 49880
208.109.181.58 80 - - - 208.109.181.58
Intel::ADDR Conn::IN_RESP alienvault
1413230268.588344 CkxyU02h5MNCvSl4jc x.x.x.x 59045
208.109.181.58 80 - - - 208.109.181.58
Intel::ADDR Conn::IN_RESP alienvault
But sometimes I see:
1413230008.288997 CV0p4G1epvXb4Cagma x.x.x.x 41918
50.63.40.1 80 - - - 50.63.40.1
Intel::ADDR Conn::IN_RESP alienvault
1413230008.357789 CR6AUc3tAVZKpxue2c x.x.x.x 38068
50.63.40.1 80 - - - 50.63.40.1
Intel::ADDR Conn::IN_RESP alienvaul1413230267.919296
C4AHVH2Y7UUpTBbl2 x.x.x.x 49880 208.109.181.58 80 -
- - 208.109.181.58 Intel::ADDR Conn::IN_RESP
alienvault
1411413230268.588344 CkxyU02h5MNCvSl4jc x.x.x.x 59045
208.109.181.58 80 - - - 208.109.181.58
Intel::ADDR Conn::IN_RESP alienvault
where the timestamp has been tagged on to the end of the previous
line..in this case it nukes the 't' in alienvault in the second line.
Weird....currently I'm tailing this file and while it's a mild issue, if
I was going to generate a report with grep/sed/awk as I do with some of
the others this would be a problem. Thank you.
James
More information about the Bro
mailing list