[Bro] Log serial number in ssl.log

Robert Harrelson bobharrelsons at gmail.com
Thu Mar 30 08:11:19 PDT 2017 

The workaround is working.

Thank you

On Wed, Mar 29, 2017 at 6:52 PM, Robert Harrelson <bobharrelsons at gmail.com>
wrote:

> Yes, I am running bro on an iMac having IP address 10.245.44.33 .
>
> I will try out the workarounds for ignoring checksums tomorrow, and let
> you know how it went. Let me know if you have any more advice, I am all
> ears.
>
> Thank you so much!
>
> --Robert
>
> On Wed, Mar 29, 2017 at 5:44 PM, Azoff, Justin S <jazoff at illinois.edu>
> wrote:
>
>>
>> > On Mar 29, 2017, at 5:38 PM, Robert Harrelson <bobharrelsons at gmail.com>
>> wrote:
>> >
>> > Dear Justin,
>> >
>> > Sorry for that mistake. I may have mixed up the files. I just re-ran
>> bro and have copied below the results of ssl.log and conn.log.
>> > Thanks again for your help!
>> >
>> > --Robert
>> >
>> >
>> >
>> > conn.log
>> >
>> > #separator \x09
>> > #set_separator        ,
>> > #empty_field  (empty)
>> > #unset_field  -
>> > #path conn
>> > #open 2017-03-29-17-27-40
>> > #fields       ts      uid     id.orig_h       id.orig_p
>>  id.resp_h       id.resp_p       proto   service duration
>> orig_bytes      resp_bytes      conn_state      local_orig      local_resp
>>     missed_bytes    history orig_pkts       orig_ip_bytes   resp_pkts
>>  resp_ip_bytes   tunnel_parents
>> > #types        time    string  addr    port    addr    port    enum
>> string  interval        count   count   string  bool    bool    count
>>  string  count   count   count   count   set[string]
>> >
>> > 1490822851.106865     Ckk89B3l4i616mbQx6      10.245.44.33    61486
>>  216.58.219.100  443     tcp     -       12.846213       0       4118
>> SHR     -       -       0       ^hadf   0       0       9       4594
>> (empty)
>> >
>>
>> Ah yes... the hadf for all of your connection histories shows that Bro is
>> only seeing half of your connections
>>
>> Are you running bro on 10.245.44.33 itself?
>>
>> https://www.bro.org/documentation/faq.html#why-isn-t-bro-
>> producing-the-logs-i-expect-a-note-about-checksums
>>
>>
>> --
>> - Justin Azoff
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170330/ebb6b343/attachment.html

More information about the Bro mailing list