missing fields in conn.log

Earl_Eiland · June 18, 2015, 1:28pm

I’m running bro 2.4 on an industrial control system pcap file. According to , https://www.bro.org/sphinx-git/scripts/base/init-bare.bro.html#type-connection, there are a number of optional fields in conn.log. However, conn.log does not seem to include any of the optional fields.

For example, my test data includes MODBUS traffic, and one of the optional conn fields is “modbus”. I’ve checked loaded-scripts.log: modbus/main.bro is loaded. Also modbus.log is being output and populated. conn.log, however, does not include a “modbus” field.

what do I have to do for conn.log to include the optional fields?

Seth_Hall3 · June 18, 2015, 2:22pm

Eep! You just discovered a bug. The analyzer is never validating the protocol successfully (which is required in order for it to show up in conn.log). I’m going to do a patch now that fixes it.

“modbus” should be showing up in the “service” field of conn.log (which represents analyzers that were attached and successfully analyzed a connection.

.Seth

Earl_Eiland · June 18, 2015, 3:16pm

awesome! Thanks.

Best Regards,

Earl Eiland,

Topic		Replies	Views
Is the "service" field of the connection record unreliable? Zeek	2	90	May 6, 2022
"conn" field not present in connection Zeek	2	153	May 6, 2022
conn.log question Zeek	4	85	May 6, 2022
Bro Not Extracting Host Fields from HTTP Traffic Zeek	4	91	May 6, 2022
Newb with a couple questions Zeek	12	73	May 6, 2022

missing fields in conn.log

Related topics