[Zeek] TCP History
Greg Grasmehr
greg.grasmehr at caltech.edu
Mon Jun 22 11:02:38 PDT 2020
Hello,
Given that this appears to be scanning originating from Google DNS, I
just want to make sure there is no chance this is in error or maybe I am
misunderstanding what I am reading here.
Lines like this are written to a custom log on event
connection_state_remove
ts orig_ip orig_port dest_ip dest_port conn_state orig_pkts dest_pkts proto
2020-06-21T01:19:55 8.8.8.8 22979 redacted 8080 S0 2 0 tcp
2020-06-21T01:19:59 8.8.8.8 53096 redacted 8080 S0 1 0 tcp
2020-06-21T01:22:02 8.8.8.8 53096 redacted 8080 S0 2 0 tcp
Thanks in advance for any insight.
Greg
More information about the Zeek
mailing list