-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Angelita,
http://www.bro-ids.org/Bro-reference-manual/Connection-summaries.html
Explains how the fields are structured, but its a little out of date.
I'll fill in the missing parts and see that the manual gets updated.
Given a line like this from the conn.log:
1122055977.662564 0.105927 10.1.1.1 10.2.2.2 http 55985 80 tcp 735 12946 SF
L %71
Unix Date/time: 1122055977.662564
Duration of the connection: 0.105927
Originator IP: 10.1.1.1
Responder IP: 10.2.2.2
Protocol: http
Originator port: 55985
Responder port: 80
Transport Protocol: tcp
Originator bytes sent: 735
Responder bytes sent: 12946
Flags: SF (Normal connection saw both SYN and FIN packets)
Additional Flags: L (connection was initiated locally)
Tag: %71
Now I can take my tag, and look in the http.log to
find out more about that connection (i'm running the
http analyzer):
http.log looks like this (example):
1121793380.980924 %71 start 10.1.1.1 > 10.2.2.2
1121793380.985317 %71 GET /foo/bar/baz.html (200 "OK" [145])
Having said all this, the alarm.log is very different, its
a 'tagged' format that is fairly self descriptive. This is
an example from the alarm.log file:
t=1000057981.940712 no=AddressScan na=NOTICE_ALARM_ALWAYS sa=10.1.1.1
sp=2222/tcp da=10.2.2.2 dp=3333/tcp msg=10.1.1.1\ has\ scanned\ 2000\ hosts\
(3333/tcp
) tag=@42
t: time
no: notice
na: notice action
sa: source address
sp: source port
dp: destination port
msg: message (in this case a host has scanned 20 hosts)
tag: identifier to match this to lines in notice.log and conn.log:
Now you can take the tag and look in the conn.log to find the connection
(with grep):
1000057956.062082 ? 10.1.1.1 10.2.2.2 other 2222 3333 tcp ? ? S0 X @142
(we can see that it didn't connect and no bytes were transfered)
Also there is a good section in the manual about alarms:
That should help explain the sort ids.
Hope this helps.
Cheers,
jason
Angelita de Cássia Corrêa wrote: