conn.log question

Zeek
1

Hi,
I am trying to make sense of a couple of fields in the conn.log. The fields in question are ‘local_orig’ and ‘local_resp’. I read the comments (shown at the end of this email) in main.bro of conn directory but I still can’t quiet follow what these fields mean. Do these fields mean that the request/response were initiated from the system where bro was running?

I am performing analysis using bro and bro is receiving traffic over a span port. In the connection log both these fields are set to true for a connection and I am wondering why. Any further clarification is appreciated. Thanks.

Dk.

If the connection is originated locally, this value will be T.

If it was originated remotely it will be F. In the case that

the :bro:id:Site::local_nets variable is undefined, this

field will be left empty at all times.

local_orig: bool &log &optional;

If the connection is responded to locally, this value will be T.

If it was responded to remotely it will be F. In the case that

the :bro:id:Site::local_nets variable is undefined, this

field will be left empty at all times.

local_resp: bool &log &optional;

2

I suggest you look more into local_nets and networks.cfg. Networks set in networks.cfg are those that bro will consider local, and those fields are not associated to traffic to/from the workers (excluding the traffic that they are monitoring). Think non-RFC 1918 (and associated RFCs) subnets that bro may be monitoring and you own/are associated with your systems - public IPs that you own.

https://www.bro.org/sphinx/scripts/base/utils/site.bro.html

Jon

3

I keep this one bookmarked:

https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html#type-Conn::Info

James

4

There is also this…
https://github.com/corelight/bro-cheatsheets/blob/master/Corelight-Bro-Cheatsheets-2.5.pdf

.Seth