[Bro] conn.log question

Zeolla@GMail.com zeolla at gmail.com
Wed Jan 10 12:22:53 PST 2018


I suggest you look more into local_nets and networks.cfg.  Networks set in
networks.cfg are those that bro will consider local, and those fields are
not associated to traffic to/from the workers (excluding the traffic that
they are monitoring).  Think non-RFC 1918 (and associated RFCs) subnets
that bro may be monitoring and you own/are associated with your systems -
public IPs that you own.

https://www.bro.org/sphinx/scripts/base/utils/site.bro.html

Jon

On Wed, Jan 10, 2018, 15:05 Dk Jack <dnj0496 at gmail.com> wrote:

> Hi,
> I am trying to make sense of a couple of fields in the conn.log. The
> fields in question are 'local_orig' and 'local_resp'. I read the comments
> (shown at the end of this email) in main.bro of conn directory but I still
> can't quiet follow what these fields mean. Do these fields mean that the
> request/response were initiated from the system where bro was running?
>
> I am performing analysis using bro and bro is receiving traffic over a
> span port. In the connection log both these fields are set to true for a
> connection and I am wondering why. Any further clarification is
> appreciated. Thanks.
>
> Dk.
>
>
>
>     ## If the connection is originated locally, this value will be T.
>     ## If it was originated remotely it will be F.  In the case that
>     ## the :bro:id:`Site::local_nets` variable is undefined, this
>     ## field will be left empty at all times.
>     local_orig:   bool            &log &optional;
>
>     ## If the connection is responded to locally, this value will be T.
>     ## If it was responded to remotely it will be F.  In the case that
>     ## the :bro:id:`Site::local_nets` variable is undefined, this
>     ## field will be left empty at all times.
>     local_resp:   bool            &log &optional;
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-- 

Jon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180110/80a21abf/attachment.html 


More information about the Bro mailing list