[Bro] conn.log history has letter 'Q'?
James Lay
jlay at slave-tothe-box.net
Wed Aug 19 19:59:43 PDT 2015
On Wed, 2015-08-19 at 21:30 -0400, Seth Hall wrote:
> > On Aug 19, 2015, at 8:21 PM, 김희철 <hckim at narusec.com> wrote:
> >
> > In side a Conn.log history I have letter 'Q' in it.
> > I can not find any info about 'Q'
> > am I missing something?
> >
> > 1439941988.068044 C3FNvf40Sa0n7jtNTf 10.122.100.26 63394 10.122.110.8 22 tcp - 1.796387 0 0 SH T Qah 1 60 4 224 (empty) (empty) (empty)
>
> ‘Q’ indicates a multi flag packet. It should be either a syn/fin or syn/rst packet.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
That's interesting..I don't have Q at all....and I would agree that
maybe that should be documented somewhere, but I couldn't find it here:
https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150819/653367bb/attachment.html
More information about the Bro
mailing list