Ali Hadi created BIT-1410:
-----------------------------
Summary: tx_hosts and rx_hosts switched in files.log
Key: BIT-1410
URL: https://bro-tracker.atlassian.net/browse/BIT-1410
Project: Bro Issue Tracker
Issue Type: Problem
Components: Bro
Environment: Linux Ubuntu
Reporter: Ali Hadi
Priority: High
Hi,
_Based on Robin's request I opened this ticket.
_
If you use the PCAP below and analyze it using Bro:
https://www.bro.org/static/traces/email.pcap
Then when checking the files.log, the tx_hosts is supposed to show the host who
transmitted the file, and rx_hosts is for the host who received the file based
on Bro's documentation:
https://www.bro.org/sphinx-git/scripts/base/frameworks/files/main.bro.html
If you do the following:
cat files.log | bro-cut fuid tx_hosts rx_hosts | grep <ID OF THE LEAKED PDF
FILE>
You'll get that the TX Host IP (SrcIP) is 192.168.121.176 and not
192.168.121.179 !!!
It seems that Bro switched their positions in the output. I found this in an
assignment given to my students, and one of them gave me a result completely
different. So when I double checked with Wireshark, I found that the IPs have
been switched by Bro.
Hope this helps.
Ali
--
This message was sent by Atlassian JIRA
(v6.5-OD-05-041#65001)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
