[Bro] Log serial number in ssl.log
Azoff, Justin S
jazoff at illinois.edu
Wed Mar 29 14:44:03 PDT 2017
> On Mar 29, 2017, at 5:38 PM, Robert Harrelson <bobharrelsons at gmail.com> wrote:
>
> Dear Justin,
>
> Sorry for that mistake. I may have mixed up the files. I just re-ran bro and have copied below the results of ssl.log and conn.log.
> Thanks again for your help!
>
> --Robert
>
>
>
> conn.log
>
> #separator \x09
> #set_separator ,
> #empty_field (empty)
> #unset_field -
> #path conn
> #open 2017-03-29-17-27-40
> #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
> #types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
>
> 1490822851.106865 Ckk89B3l4i616mbQx6 10.245.44.33 61486 216.58.219.100 443 tcp - 12.846213 0 4118 SHR - - 0 ^hadf 0 0 9 4594 (empty)
>
Ah yes... the hadf for all of your connection histories shows that Bro is only seeing half of your connections
Are you running bro on 10.245.44.33 itself?
https://www.bro.org/documentation/faq.html#why-isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums
--
- Justin Azoff
More information about the Bro
mailing list