[Bro] huge weird.log/conn.log
Vlad Grigorescu
vladg at illinois.edu
Thu Dec 1 08:14:25 PST 2016
Can you take a look at what weirds, specifically, you're getting?
Something like:
> cat weird.log | bro-cut name| sort | uniq -c | sort -n
--Vlad
erik clark <philosnef at gmail.com> writes:
> I have two bro sensors. One is running 2.5, one is running 2.4.1. Both are
> running on the same link off the tap.
>
> The weird.log on the 2.5 box is 6 times bigger than the weird.log on the
> 2.4.1 log. Any idea why this might be? How can I troubleshoot this.
>
> My conn.log is 3 times bigger. For reference:
>
> conn.log -> 2.5 (45 minutes) 17 gig
> conn.log -> 2.4.1 (45 min) 5.5 gig
>
> weird.log -> 2.5 (45 minutes) 11 gig
> weird.log -> 2.4.1 (45 minutes) 1.2 gig
>
> These numbers seem to be WAY off. I have no idea how to even try and parse
> this to see what is going on.
>
> Packet loss on 2.4.1 is 6%
> Packet loss on 2.5 is 1%.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 800 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161201/70f6610e/attachment.bin
More information about the Bro
mailing list