[Bro] tx_hosts and rx_hosts in files.log

Ali Hadi ali at ashemery.com
Sat May 30 12:16:07 PDT 2015


Hi,

If you use the PCAP below and analyze it using Bro:
https://www.bro.org/static/traces/email.pcap

Then when checking the files.log, the tx_hosts is supposed to show the host
who transmitted the file, and rx_hosts is for the host who received the
file based on Bro's documentation:
https://www.bro.org/sphinx-git/scripts/base/frameworks/files/main.bro.html

If you do the following:
cat files.log | bro-cut fuid tx_hosts rx_hosts | grep <ID OF THE LEAKED PDF
FILE>

You'll get that the TX Host IP (SrcIP) is 192.168.121.176 and
not 192.168.121.179 !!!

Is there something I'm doing wrong, or has bro switched their positions in
the output?

​Thanks in advance,
*Ali*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150530/26f505d9/attachment.html 


More information about the Bro mailing list