[Bro] tx_hosts and rx_hosts in files.log
Vlad Grigorescu
vlad at grigorescu.org
Sun May 31 14:35:40 PDT 2015
Thanks for the bug report. Looks like this comes from the assumption made
here:
https://github.com/bro/bro/blob/master/src/analyzer/protocol/mime/MIME.cc#L1459
--Vlad
On Sat, May 30, 2015 at 2:16 PM, Ali Hadi <ali at ashemery.com> wrote:
> Hi,
>
> If you use the PCAP below and analyze it using Bro:
> https://www.bro.org/static/traces/email.pcap
>
> Then when checking the files.log, the tx_hosts is supposed to show the
> host who transmitted the file, and rx_hosts is for the host who received
> the file based on Bro's documentation:
> https://www.bro.org/sphinx-git/scripts/base/frameworks/files/main.bro.html
>
> If you do the following:
> cat files.log | bro-cut fuid tx_hosts rx_hosts | grep <ID OF THE LEAKED
> PDF FILE>
>
> You'll get that the TX Host IP (SrcIP) is 192.168.121.176 and
> not 192.168.121.179 !!!
>
> Is there something I'm doing wrong, or has bro switched their positions in
> the output?
>
> Thanks in advance,
> *Ali*
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150531/5134c617/attachment.html
More information about the Bro
mailing list