[Bro] tx_hosts and rx_hosts in files.log
Ali Hadi
ali at ashemery.com
Sat May 30 12:16:07 PDT 2015
Hi,
If you use the PCAP below and analyze it using Bro:
https://www.bro.org/static/traces/email.pcap
Then when checking the files.log, the tx_hosts is supposed to show the host
who transmitted the file, and rx_hosts is for the host who received the
file based on Bro's documentation:
https://www.bro.org/sphinx-git/scripts/base/frameworks/files/main.bro.html
If you do the following:
cat files.log | bro-cut fuid tx_hosts rx_hosts | grep <ID OF THE LEAKED PDF
FILE>
You'll get that the TX Host IP (SrcIP) is 192.168.121.176 and
not 192.168.121.179 !!!
Is there something I'm doing wrong, or has bro switched their positions in
the output?
Thanks in advance,
*Ali*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150530/26f505d9/attachment.html
More information about the Bro
mailing list