[Bro] conn.log question

James Lay jlay at slave-tothe-box.net
Wed Jan 10 13:39:50 PST 2018 

I keep this one bookmarked: 

https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info


James 

On 2018-01-10 13:22, Zeolla at GMail.com wrote:

> I suggest you look more into local_nets and networks.cfg.  Networks set in networks.cfg are those that bro will consider local, and those fields are not associated to traffic to/from the workers (excluding the traffic that they are monitoring).  Think non-RFC 1918 (and associated RFCs) subnets that bro may be monitoring and you own/are associated with your systems - public IPs that you own. 
> 
> https://www.bro.org/sphinx/scripts/base/utils/site.bro.html 
> 
> Jon 
> 
> On Wed, Jan 10, 2018, 15:05 Dk Jack <dnj0496 at gmail.com> wrote: 
> 
>> Hi, 
>> I am trying to make sense of a couple of fields in the conn.log. The fields in question are 'local_orig' and 'local_resp'. I read the comments (shown at the end of this email) in main.bro of conn directory but I still can't quiet follow what these fields mean. Do these fields mean that the request/response were initiated from the system where bro was running?  
>> 
>> I am performing analysis using bro and bro is receiving traffic over a span port. In the connection log both these fields are set to true for a connection and I am wondering why. Any further clarification is appreciated. Thanks. 
>> 
>> Dk. 
>> 
>> ## If the connection is originated locally, this value will be T. 
>> ## If it was originated remotely it will be F.  In the case that 
>> ## the :bro:id:`Site::local_nets` variable is undefined, this 
>> ## field will be left empty at all times. 
>> local_orig:   bool            &log &optional; 
>> 
>> ## If the connection is responded to locally, this value will be T. 
>> ## If it was responded to remotely it will be F.  In the case that 
>> ## the :bro:id:`Site::local_nets` variable is undefined, this 
>> ## field will be left empty at all times. 
>> local_resp:   bool            &log &optional; 
>> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> -- 
> 
> Jon 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180110/996031c9/attachment.html

More information about the Bro mailing list