[Bro] Differences between conn.log and known_services.log
Seth Hall
seth at icir.org
Thu Jan 8 07:03:05 PST 2015
> On Jan 8, 2015, at 4:45 AM, Vito Logrillo <vitologrillo at gmail.com> wrote:
>
> Is it correct to say that the difference
> between conn.log and known_services.log is that conn.log is based on a
> real-time analysis and and known_services.log is based on a delayed
> analysis?is it right or not?
Technically that’s correct but I would say that it’s more accurate to say that the two logs are logging different things. conn.log is logging attribute of connections, and known_services.log is logging aspects of host/port pairs.
> Another question: if known_services identifies a service on a
> addr/port, that information is later used by conn.log or not?
No, that wouldn’t make sense to do that. The service field in conn.log is solely showing you what analyzer(s) Bro used successfully to analyze the traffic on that particular connection.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list