Hi,
conn.log and known_services.log have a field named "service":
sometimes this filed is empty in conn.log but in known_services.log is
not...Why?
This field should be processed in the same way by the two logs...or not?
Thanks,
Vito
It’s due to what is actually being logged in both of those logs. conn.log has information per-connection so you can imagine that someone might connect to a host and not actually speak the protocol that the server speaks and we don’t detect any protocol. known_services.log is generally trying to figure out what protocol a host-port pair speaks and logs that. If no protocol is detected, we try to delay logging the fact that the port is held open in the hopes that a better connection will happen later.
Make sense?
.Seth
Hi Seth,
thanks for your reply. Is it correct to say that the difference
between conn.log and known_services.log is that conn.log is based on a
real-time analysis and and known_services.log is based on a delayed
analysis?is it right or not?
Another question: if known_services identifies a service on a
addr/port, that information is later used by conn.log or not?
Thanks
Vito
Is it correct to say that the difference
between conn.log and known_services.log is that conn.log is based on a
real-time analysis and and known_services.log is based on a delayed
analysis?is it right or not?
Technically that’s correct but I would say that it’s more accurate to say that the two logs are logging different things. conn.log is logging attribute of connections, and known_services.log is logging aspects of host/port pairs.
Another question: if known_services identifies a service on a
addr/port, that information is later used by conn.log or not?
No, that wouldn’t make sense to do that. The service field in conn.log is solely showing you what analyzer(s) Bro used successfully to analyze the traffic on that particular connection.
.Seth
Hi Seth,
thanks for your reply, but i have some doubts about: i'll try to
explain me better.
Sometimes in conn.log i have an output like this:
ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto
service .......
xxx CYePUY1fgIZQcJHerb 10.0.1.2 40077 10.0.5.6 67
udp - .....
and in known_services.log something like:
ts host port_num port_proto service
xxx 10.0.5.6 67 udp DHCP
(ip addrs are totally arbitrary)
Why do you think that a log like below is totally wrong?
ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto
service .......
xxx CYePUY1fgIZQcJHerb 10.0.1.2 40077 10.0.5.6 67
udp DHCP .....
In this case, i've used an information present in known_service.log to
integrate the info present in conn.log, so the service field in
conn.log is not empty.
Whta's wrong with this?
Regards,
Vito