[
https://bro-tracker.atlassian.net/browse/BIT-1410?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=20907#comment-20907
]
Robin Sommer commented on BIT-1410:
-----------------------------------
Setting it to 2.4, let's see if we can get this fixed still.
> tx_hosts and rx_hosts switched in files.log
> -------------------------------------------
>
> Key: BIT-1410
> URL: https://bro-tracker.atlassian.net/browse/BIT-1410
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Environment: Linux Ubuntu
> Reporter: Ali Hadi
> Priority: High
> Labels: analyzer
> Fix For: 2.4
>
>
> Hi,
> _Based on Robin's request I opened this ticket.
> _
> If you use the PCAP below and analyze it using Bro:
> https://www.bro.org/static/traces/email.pcap
> Then when checking the files.log, the tx_hosts is supposed to show the host
> who transmitted the file, and rx_hosts is for the host who received the file
> based on Bro's documentation:
> https://www.bro.org/sphinx-git/scripts/base/frameworks/files/main.bro.html
> If you do the following:
> cat files.log | bro-cut fuid tx_hosts rx_hosts | grep <ID OF THE LEAKED PDF
> FILE>
> You'll get that the TX Host IP (SrcIP) is 192.168.121.176 and not
> 192.168.121.179 !!!
> It seems that Bro switched their positions in the output. I found this in an
> assignment given to my students, and one of them gave me a result completely
> different. So when I double checked with Wireshark, I found that the IPs have
> been switched by Bro.
> Hope this helps.
> Ali
--
This message was sent by Atlassian JIRA
(v6.5-OD-05-041#65001)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
