[Bro] tx_hosts and rx_hosts in files.log

Ali Hadi ali at ashemery.com
Mon Jun 1 03:07:19 PDT 2015


You're welcome. Hope it will be corrected soon.

​Ali

On Mon, Jun 1, 2015 at 12:35 AM, Vlad Grigorescu <vlad at grigorescu.org>
wrote:

> Thanks for the bug report. Looks like this comes from the assumption made
> here:
>
>
> https://github.com/bro/bro/blob/master/src/analyzer/protocol/mime/MIME.cc#L1459
>
>   --Vlad
>
> On Sat, May 30, 2015 at 2:16 PM, Ali Hadi <ali at ashemery.com> wrote:
>
>> Hi,
>>
>> If you use the PCAP below and analyze it using Bro:
>> https://www.bro.org/static/traces/email.pcap
>>
>> Then when checking the files.log, the tx_hosts is supposed to show the
>> host who transmitted the file, and rx_hosts is for the host who received
>> the file based on Bro's documentation:
>> https://www.bro.org/sphinx-git/scripts/base/frameworks/files/main.bro.html
>>
>> If you do the following:
>> cat files.log | bro-cut fuid tx_hosts rx_hosts | grep <ID OF THE LEAKED
>> PDF FILE>
>>
>> You'll get that the TX Host IP (SrcIP) is 192.168.121.176 and
>> not 192.168.121.179 !!!
>>
>> Is there something I'm doing wrong, or has bro switched their positions
>> in the output?
>>
>> ​Thanks in advance,
>> *Ali*
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150601/b2fc1105/attachment.html 


More information about the Bro mailing list