[ https://bro-tracker.atlassian.net/browse/BIT-1410?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robin Sommer updated BIT-1410: ------------------------------ Fix Version/s: 2.4 > tx_hosts and rx_hosts switched in files.log > ------------------------------------------- > > Key: BIT-1410 > URL: https://bro-tracker.atlassian.net/browse/BIT-1410 > Project: Bro Issue Tracker > Issue Type: Problem > Components: Bro > Environment: Linux Ubuntu > Reporter: Ali Hadi > Priority: High > Labels: analyzer > Fix For: 2.4 > > > Hi, > _Based on Robin's request I opened this ticket. > _ > If you use the PCAP below and analyze it using Bro: > https://www.bro.org/static/traces/email.pcap > Then when checking the files.log, the tx_hosts is supposed to show the host > who transmitted the file, and rx_hosts is for the host who received the file > based on Bro's documentation: > https://www.bro.org/sphinx-git/scripts/base/frameworks/files/main.bro.html > If you do the following: > cat files.log | bro-cut fuid tx_hosts rx_hosts | grep <ID OF THE LEAKED PDF > FILE> > You'll get that the TX Host IP (SrcIP) is 192.168.121.176 and not > 192.168.121.179 !!! > It seems that Bro switched their positions in the output. I found this in an > assignment given to my students, and one of them gave me a result completely > different. So when I double checked with Wireshark, I found that the IPs have > been switched by Bro. > Hope this helps. > Ali -- This message was sent by Atlassian JIRA (v6.5-OD-05-041#65001) _______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev