[Bro] conn.log history has letter 'Q'?
seth at icir.org
Fri Aug 21 06:49:11 PDT 2015
> On Aug 21, 2015, at 2:20 AM, 김희철 <hckim at narusec.com> wrote:
> I inconsistent packet (e.g. SYN+RST bits both set)
I don’t actually know what ‘I’ stands for, but it’s for fin/rst packets, not syn/rst (although that would also be viable as long as fin is also set)
> L a fin/rst
I don’t believe that ‘L' is a valid flag for the history field. Where did you find this?
International Computer Science Institute
(Bro) because everyone has a network
More information about the Bro