[Bro] Differences between conn.log and known_services.log
Seth Hall
seth at icir.org
Wed Jan 7 09:41:10 PST 2015
> On Jan 7, 2015, at 10:17 AM, Vito Logrillo <vitologrillo at gmail.com> wrote:
>
> conn.log and known_services.log have a field named "service":
> sometimes this filed is empty in conn.log but in known_services.log is
> not…Why?
It’s due to what is actually being logged in both of those logs. conn.log has information per-connection so you can imagine that someone might connect to a host and not actually speak the protocol that the server speaks and we don’t detect any protocol. known_services.log is generally trying to figure out what protocol a host-port pair speaks and logs that. If no protocol is detected, we try to delay logging the fact that the port is held open in the hopes that a better connection will happen later.
Make sense?
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list