[Bro] missing fields in conn.log
Seth Hall
seth at icir.org
Thu Jun 18 07:22:51 PDT 2015
> On Jun 18, 2015, at 9:28 AM, Earl Eiland <earl.eiland at root9b.com> wrote:
>
> For example, my test data includes MODBUS traffic, and one of the optional conn fields is "modbus". I've checked loaded-scripts.log: modbus/main.bro is loaded. Also modbus.log is being output and populated. conn.log, however, does not include a "modbus" field.
Eep! You just discovered a bug. The analyzer is never validating the protocol successfully (which is required in order for it to show up in conn.log). I’m going to do a patch now that fixes it.
“modbus” should be showing up in the “service” field of conn.log (which represents analyzers that were attached and successfully analyzed a connection.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150618/d6ab444f/attachment.bin
More information about the Bro
mailing list