[Bro] possible bug with smtp analyzer/trans_depth issue
erik clark
philosnef at gmail.com
Tue Oct 11 09:40:58 PDT 2016
We were researching into an issue where we have multiple smtp messages in
the same uid (normal), but where every message has the same trans_depth...
When the pcap is run against bro manually, we get the correct number of
trans_depth values. Packet loss on the systems is very low (below .5%), so
I can't exactly chalk it up to traffic issues.
Anyone have any experience with this, or might have some insight as to why
trans_depth isn't being incremented in these messages?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20161011/679b7d01/attachment.html
More information about the Bro
mailing list