[Bro] Differences between conn.log and known_services.log
Vito Logrillo
vitologrillo at gmail.com
Thu Jan 8 07:34:06 PST 2015
Hi Seth,
thanks for your reply, but i have some doubts about: i'll try to
explain me better.
Sometimes in conn.log i have an output like this:
ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto
service .......
xxx CYePUY1fgIZQcJHerb 10.0.1.2 40077 10.0.5.6 67
udp - .....
and in known_services.log something like:
ts host port_num port_proto service
xxx 10.0.5.6 67 udp DHCP
(ip addrs are totally arbitrary)
Why do you think that a log like below is totally wrong?
ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto
service .......
xxx CYePUY1fgIZQcJHerb 10.0.1.2 40077 10.0.5.6 67
udp DHCP .....
In this case, i've used an information present in known_service.log to
integrate the info present in conn.log, so the service field in
conn.log is not empty.
Whta's wrong with this?
Regards,
Vito
2015-01-08 16:03 GMT+01:00 Seth Hall <seth at icir.org>:
>
>> On Jan 8, 2015, at 4:45 AM, Vito Logrillo <vitologrillo at gmail.com> wrote:
>>
>> Is it correct to say that the difference
>> between conn.log and known_services.log is that conn.log is based on a
>> real-time analysis and and known_services.log is based on a delayed
>> analysis?is it right or not?
>
> Technically that’s correct but I would say that it’s more accurate to say that the two logs are logging different things. conn.log is logging attribute of connections, and known_services.log is logging aspects of host/port pairs.
>
>> Another question: if known_services identifies a service on a
>> addr/port, that information is later used by conn.log or not?
>
> No, that wouldn’t make sense to do that. The service field in conn.log is solely showing you what analyzer(s) Bro used successfully to analyze the traffic on that particular connection.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
>
More information about the Bro
mailing list