[Zeek] TCP History
Justin Azoff
justin at corelight.com
Mon Jun 22 11:23:30 PDT 2020
The one thing that would shed some light on this is a full conn.log
entry including the 'history' field.
On Mon, Jun 22, 2020 at 2:07 PM Greg Grasmehr <greg.grasmehr at caltech.edu> wrote:
>
> Hello,
>
> Given that this appears to be scanning originating from Google DNS, I
> just want to make sure there is no chance this is in error or maybe I am
> misunderstanding what I am reading here.
>
> Lines like this are written to a custom log on event
> connection_state_remove
>
> ts orig_ip orig_port dest_ip dest_port conn_state orig_pkts dest_pkts proto
> 2020-06-21T01:19:55 8.8.8.8 22979 redacted 8080 S0 2 0 tcp
> 2020-06-21T01:19:59 8.8.8.8 53096 redacted 8080 S0 1 0 tcp
> 2020-06-21T01:22:02 8.8.8.8 53096 redacted 8080 S0 2 0 tcp
>
> Thanks in advance for any insight.
>
> Greg
> _______________________________________________
> Zeek mailing list
> zeek at zeek.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/zeek
--
Justin
More information about the Zeek
mailing list