Re: 192.168.138.158 address in yaf index

I agree with Simon and Laurens. In addition to what they mentioned, there is also the "sensor-stubs" which just replays canned Bro/Snort/YAF output without actually running tcpreplay, Bro, Snort, or YAF. You would also see the same IP in that data. On Wed, Sep 20, 2017 at 10:38 AM Simon

Re: 192.168.138.158 address in yaf index

I think these addresses are used in the example.pcap (/opt/pcap-replay/example.pcap). The fact that you're receiving this means that pcap-replay is probably running in the background. You can check this with Monit ("monit summary"). On 2017-09-20 07:29, Frank Horsfall wrote: > Morning all, >

Re: 192.168.138.158 address in yaf index

That sounds like an address from the standard example.pcap used to demo metron capability. In a real deployment you should not run pcap-replay which is what inserts this demo data. Simon > On 21 Sep 2017, at 00:29, Frank Horsfall > wrote: > > Morning all, >

192.168.138.158 address in yaf index

Morning all, I have several logs showing an address of 192.168.138.158 as ip_src_addr and 192.168.138.2 as ip_dst_addr. My internal network does not have the 192.168.0.0/24 range which leads me to believe that somewhere there is a test record with the data. Would anybody know where I might be