[Bro] is there a bro script to ignore duplicated logs?
Michał Purzyński
michalpurzynski1 at gmail.com
Thu Oct 4 03:20:40 PDT 2018
These duplicated logs make it apparent that you’re having some packet capture problems.
What’s your packet capture setup? Do you use a span port? Optical taps? Packet brokers?
How do you run bro?
> On Oct 4, 2018, at 11:06 AM, MAÁN ABU SHAQRA <maanamen at hotmail.com> wrote:
>
> were facing this issue with bro whereby its duplicating entries see below:
>
> 1536746459.586520 CbxxYF1uTyqC499HDe
> 192.168.20.15 137
> 10.190.129.26 137
> udp 39011
> - maanpc
> 1 C_INTERNET
> 32 NB
> F
>
> 1536746460.343566 CbxxYF1uTyqC499HDe
> 192.168.20.15 137
> 10.190.129.26 137
> udp 39011
> - maanpc
> 1 C_INTERNET
> 32 NB
> F
>
> 1536746461.107930 CbxxYF1uTyqC499HDe
> 192.168.20.15 137
> 10.190.129.26 137
> udp 39011
> - maanpc
> 1 C_INTERNET
> 32 NB
> F
>
> 1536746466.418528 CbxxYF1uTyqC499HDe
> 192.168.20.15 137
> 10.190.129.26 137
> udp 39013
> - maanpc
> 1 C_INTERNET
> 32 NB
> F
>
> 1536746467.176333 CbxxYF1uTyqC499HDe
> 192.168.20.15 137
> 10.190.129.26 137
> udp 39013
> - maanpc
> 1 C_INTERNET
> 32 NB
> F
>
> 1536746467.940695 CbxxYF1uTyqC499HDe
> 192.168.20.15 137
> 10.190.129.26 137
> udp 39013
> - maanpc
> 1 C_INTERNET
> 32 NB
> F
>
> 1536746473.250630 CbxxYF1uTyqC499HDe
> 192.168.20.15 137
> 10.190.129.26 137
> udp 39017
> - maanpc
> 1 C_INTERNET
> 32 NB
> F
>
> 1536746474.010337 CbxxYF1uTyqC499HDe
> 192.168.20.15 137
> 10.190.129.26 137
> udp 39017
> - maanpc
> 1 C_INTERNET
> 32 NB
> F
>
> 1536746474.773560 CbxxYF1uTyqC499HDe
> 192.168.20.15 137
> 10.190.129.26 137
> udp 39017
> - maanpc
> 1 C_INTERNET
> 32 NB
> F
>
> 1536746452.751762 CbxxYF1uTyqC499HDe
> 192.168.20.15 137
> 10.190.129.26 137
> udp 39009
> - maanpc
> 1 C_INTERNET
> 32 NB
> F
>
> 1536746453.510702 CbxxYF1uTyqC499HDe
> 192.168.20.15 137
> 10.190.129.26 137
> udp 39009
> - maanpc
> 1 C_INTERNET
> 32 NB
> F
>
> 1536746454.275116 CbxxYF1uTyqC499HDe
> 192.168.20.15 137
> 10.190.129.26 137
> udp 39009
> - maanpc
> 1 C_INTERNET
> 32 NB
> F
>
>
> pf_ring / af packet didnt help.
>
> thanks
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20181004/d0df2851/attachment-0001.html
More information about the Bro
mailing list