[Bro] conn.log history has letter 'Q'?
김희철
hckim at narusec.com
Tue Aug 25 02:57:47 PDT 2015
>> I inconsistent packet (e.g. SYN+RST bits both set)
>I don’t actually know what ‘I’ stands for, but it’s for fin/rst packets,
not syn/rst (although that would also be viable as long as fin is also set)
I got 'I' from bro document
https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html
>> L a fin/rst
>I don’t believe that ‘L' is a valid flag for the history field. Where did
you find this?
Sorry I got mix up with capital 'I' and lower case 'L'
On Fri, Aug 21, 2015 at 10:49 PM, Seth Hall <seth at icir.org> wrote:
>
> > On Aug 21, 2015, at 2:20 AM, 김희철 <hckim at narusec.com> wrote:
> >
> > I inconsistent packet (e.g. SYN+RST bits both set)
>
> I don’t actually know what ‘I’ stands for, but it’s for fin/rst packets,
> not syn/rst (although that would also be viable as long as fin is also set)
>
> > L a fin/rst
>
> I don’t believe that ‘L' is a valid flag for the history field. Where did
> you find this?
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150825/ebd76ff1/attachment.html
More information about the Bro
mailing list