[Bro] Log serial number in ssl.log
Robert Harrelson
bobharrelsons at gmail.com
Wed Mar 29 15:52:54 PDT 2017
Yes, I am running bro on an iMac having IP address 10.245.44.33 .
I will try out the workarounds for ignoring checksums tomorrow, and let you
know how it went. Let me know if you have any more advice, I am all ears.
Thank you so much!
--Robert
On Wed, Mar 29, 2017 at 5:44 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:
>
> > On Mar 29, 2017, at 5:38 PM, Robert Harrelson <bobharrelsons at gmail.com>
> wrote:
> >
> > Dear Justin,
> >
> > Sorry for that mistake. I may have mixed up the files. I just re-ran bro
> and have copied below the results of ssl.log and conn.log.
> > Thanks again for your help!
> >
> > --Robert
> >
> >
> >
> > conn.log
> >
> > #separator \x09
> > #set_separator ,
> > #empty_field (empty)
> > #unset_field -
> > #path conn
> > #open 2017-03-29-17-27-40
> > #fields ts uid id.orig_h id.orig_p id.resp_h
> id.resp_p proto service duration orig_bytes
> resp_bytes conn_state local_orig local_resp
> missed_bytes history orig_pkts orig_ip_bytes resp_pkts
> resp_ip_bytes tunnel_parents
> > #types time string addr port addr port enum
> string interval count count string bool bool count
> string count count count count set[string]
> >
> > 1490822851.106865 Ckk89B3l4i616mbQx6 10.245.44.33 61486
> 216.58.219.100 443 tcp - 12.846213 0 4118
> SHR - - 0 ^hadf 0 0 9 4594
> (empty)
> >
>
> Ah yes... the hadf for all of your connection histories shows that Bro is
> only seeing half of your connections
>
> Are you running bro on 10.245.44.33 itself?
>
> https://www.bro.org/documentation/faq.html#why-
> isn-t-bro-producing-the-logs-i-expect-a-note-about-checksums
>
>
> --
> - Justin Azoff
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170329/363cec9d/attachment.html
More information about the Bro
mailing list