[Bro] missing fields in conn.log
Earl Eiland
earl.eiland at root9b.com
Thu Jun 18 08:16:38 PDT 2015
awesome! Thanks.
Best Regards,
Earl Eiland,
________________________________________
From: Seth Hall <seth at icir.org>
Sent: Thursday, June 18, 2015 9:22 AM
To: Earl Eiland
Cc: bro at bro.org
Subject: Re: [Bro] missing fields in conn.log
> On Jun 18, 2015, at 9:28 AM, Earl Eiland <earl.eiland at root9b.com> wrote:
>
> For example, my test data includes MODBUS traffic, and one of the optional conn fields is "modbus". I've checked loaded-scripts.log: modbus/main.bro is loaded. Also modbus.log is being output and populated. conn.log, however, does not include a "modbus" field.
Eep! You just discovered a bug. The analyzer is never validating the protocol successfully (which is required in order for it to show up in conn.log). I’m going to do a patch now that fixes it.
“modbus” should be showing up in the “service” field of conn.log (which represents analyzers that were attached and successfully analyzed a connection.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list