[Bro] intel.log file stops getting generated.
Azoff, Justin S
jazoff at illinois.edu
Wed Jan 25 13:13:22 PST 2017
> On Jan 25, 2017, at 3:29 PM, fatema bannatwala <fatema.bannatwala at gmail.com> wrote:
>
> Thanks Justin!
>
> Happening again, no intel.log file getting generated (I don't know why poor intel file getting impacted, n not any other log file :-/ )
>
> Here's the stats (before I go ahead and disable scan.bro, and restart the cluster)
> $ cat conn.log |bro-cut id.resp_p history|fgrep -w S|sort|uniq -c|sort -nr|head
> 398587 2323 S
> 256953 5358 S
> 205109 7547 S
> 115442 6789 S
> 101712 22 S
> 97051 81 S
> 90099 5800 S
> 44297 40884 S
> 43943 40876 S
> 35522 80 S
Ah.. that looks about right for the constant flood of IoT Scan crap. Are you filtering port 23 before bro can see it? 23 would be about 10x the volume of 2323.
--
- Justin Azoff
More information about the Bro
mailing list