[Bro] conn.log history has letter 'Q'?
김희철
hckim at narusec.com
Thu Aug 20 23:20:09 PDT 2015
so for the history
S a SYN w/o the ACK bit set H a SYN+ACK (“handshake”) A a pure ACK D packet
with payload (“data”) F packet with FIN bit set R packet with RST bit
set C packet
with a bad checksum I inconsistent packet (e.g. SYN+RST bits both set) Q a
syn/fin or syn/rst L a fin/rst
On Fri, Aug 21, 2015 at 4:00 AM, <bro-request at bro.org> wrote:
> Send Bro mailing list submissions to
> bro at bro.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> or, via email, send a message with subject or body 'help' to
> bro-request at bro.org
>
> You can reach the person managing the list at
> bro-owner at bro.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Bro digest..."
>
>
> Today's Topics:
>
> 1. Re: conn.log history has letter 'Q'? (Daniel Thayer)
> 2. Re: conn.log history has letter 'Q'? (James Lay)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Thu, 20 Aug 2015 13:08:09 -0500
> From: Daniel Thayer <dnthayer at illinois.edu>
> Subject: Re: [Bro] conn.log history has letter 'Q'?
> To: Seth Hall <seth at icir.org>
> Cc: bro at bro.org
> Message-ID: <55D61789.7000804 at illinois.edu>
> Content-Type: text/plain; charset="utf-8"; format=flowed
>
> I already fixed this (I've had a branch for a while now
> where I've been collecting small documentation fixes like this).
>
>
>
> On 08/20/2015 11:44 AM, Seth Hall wrote:
> > To make it worse, there is also ?I? which indicates fin/rst (and
> possibly other flags). James, would you mind filing a ticket about adding
> Q/I to the docs? (he who brings up docs files the ticket!)
> >
> > .Seth
> >
>
>
> ------------------------------
>
> Message: 2
> Date: Thu, 20 Aug 2015 12:25:34 -0600
> From: James Lay <jlay at slave-tothe-box.net>
> Subject: Re: [Bro] conn.log history has letter 'Q'?
> To: Seth Hall <seth at icir.org>
> Cc: "bro at bro.org" <bro at bro.org>
> Message-ID: <7BA0F2A1-64A3-48B0-BE13-F7236511C4BA at slave-tothe-box.net>
> Content-Type: text/plain; charset=utf-8
>
> LoL...I sure will Seth thanks.
>
> Sent from my iPhone
>
> > On Aug 20, 2015, at 10:44, Seth Hall <seth at icir.org> wrote:
> >
> >
> >> On Aug 19, 2015, at 10:59 PM, James Lay <jlay at slave-tothe-box.net>
> wrote:
> >>
> >> That's interesting..I don't have Q at all....and I would agree that
> maybe that should be documented somewhere, but I couldn't find it here:
> >
> > To make it worse, there is also ?I? which indicates fin/rst (and
> possibly other flags). James, would you mind filing a ticket about adding
> Q/I to the docs? (he who brings up docs files the ticket!)
> >
> > .Seth
> >
> > --
> > Seth Hall
> > International Computer Science Institute
> > (Bro) because everyone has a network
> > http://www.bro.org/
>
>
>
> ------------------------------
>
> _______________________________________________
> Bro mailing list
> Bro at bro.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> End of Bro Digest, Vol 112, Issue 25
> ************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150821/27e4ce9a/attachment.html
More information about the Bro
mailing list