[Bro] conn.log question

Seth Hall seth at corelight.com
Sun Jan 14 07:38:01 PST 2018 

There is also this...
	https://github.com/corelight/bro-cheatsheets/blob/master/Corelight-Bro-Cheatsheets-2.5.pdf

   .Seth

On 10 Jan 2018, at 16:39, James Lay wrote:

> I keep this one bookmarked:
>
> https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info
>
>
> James
>
> On 2018-01-10 13:22, Zeolla at GMail.com wrote:
>
>> I suggest you look more into local_nets and networks.cfg.  Networks 
>> set in networks.cfg are those that bro will consider local, and those 
>> fields are not associated to traffic to/from the workers (excluding 
>> the traffic that they are monitoring).  Think non-RFC 1918 (and 
>> associated RFCs) subnets that bro may be monitoring and you own/are 
>> associated with your systems - public IPs that you own.
>>
>> https://www.bro.org/sphinx/scripts/base/utils/site.bro.html
>>
>> Jon
>>
>> On Wed, Jan 10, 2018, 15:05 Dk Jack <dnj0496 at gmail.com> wrote:
>>
>>> Hi,
>>> I am trying to make sense of a couple of fields in the conn.log. The 
>>> fields in question are 'local_orig' and 'local_resp'. I read the 
>>> comments (shown at the end of this email) in main.bro of conn 
>>> directory but I still can't quiet follow what these fields mean. Do 
>>> these fields mean that the request/response were initiated from the 
>>> system where bro was running?
>>>
>>> I am performing analysis using bro and bro is receiving traffic over 
>>> a span port. In the connection log both these fields are set to true 
>>> for a connection and I am wondering why. Any further clarification 
>>> is appreciated. Thanks.
>>>
>>> Dk.
>>>
>>> ## If the connection is originated locally, this value will be T.
>>> ## If it was originated remotely it will be F.  In the case that
>>> ## the :bro:id:`Site::local_nets` variable is undefined, this
>>> ## field will be left empty at all times.
>>> local_orig:   bool            &log &optional;
>>>
>>> ## If the connection is responded to locally, this value will be T.
>>> ## If it was responded to remotely it will be F.  In the case that
>>> ## the :bro:id:`Site::local_nets` variable is undefined, this
>>> ## field will be left empty at all times.
>>> local_resp:   bool            &log &optional;
>>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>> -- 
>>
>> Jon
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

--
Seth Hall * Corelight, Inc * www.corelight.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180114/41612fcd/attachment.html

More information about the Bro mailing list