[Bro] conn.log question

Dk Jack dnj0496 at gmail.com
Wed Jan 10 11:55:58 PST 2018


Hi,
I am trying to make sense of a couple of fields in the conn.log. The fields
in question are 'local_orig' and 'local_resp'. I read the comments (shown
at the end of this email) in main.bro of conn directory but I still can't
quiet follow what these fields mean. Do these fields mean that the
request/response were initiated from the system where bro was running?

I am performing analysis using bro and bro is receiving traffic over a span
port. In the connection log both these fields are set to true for a
connection and I am wondering why. Any further clarification is
appreciated. Thanks.

Dk.



    ## If the connection is originated locally, this value will be T.
    ## If it was originated remotely it will be F.  In the case that
    ## the :bro:id:`Site::local_nets` variable is undefined, this
    ## field will be left empty at all times.
    local_orig:   bool            &log &optional;

    ## If the connection is responded to locally, this value will be T.
    ## If it was responded to remotely it will be F.  In the case that
    ## the :bro:id:`Site::local_nets` variable is undefined, this
    ## field will be left empty at all times.
    local_resp:   bool            &log &optional;
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180110/8d1a38de/attachment.html 


More information about the Bro mailing list