Question about fields in the notice log

Paul_Halliday · June 4, 2013, 11:14am

What is the difference between id.orig_h, id.resp_h and src,dst?

Scott_Runnels · June 4, 2013, 1:55pm

Hi Paul,

src and dst are used if there isn’t a connection id.

source: http://www.bro.org/sphinx-git/scripts/base/frameworks/notice/main.html#type-Notice::Info

src: [`addr`](http://www.bro.org/sphinx-git/scripts/builtins.html#type-addr) [`&log`](http://www.bro.org/sphinx-git/scripts/builtins.html#attr-&log) [`&optional`](http://www.bro.org/sphinx-git/scripts/builtins.html#attr-&optional)

Source address, if we don’t have a conn_id.

dst: [`addr`](http://www.bro.org/sphinx-git/scripts/builtins.html#type-addr) [`&log`](http://www.bro.org/sphinx-git/scripts/builtins.html#attr-&log) [`&optional`](http://www.bro.org/sphinx-git/scripts/builtins.html#attr-&optional)

Destination address.

Seth_Hall3 · June 4, 2013, 6:01pm

Not much. I think the original intent behind them was that in cases where there is no obvious directionality (i.e. non-tcp) the src and dst fields would be used since they indicate the sender and receiver of an individual packet and don't represent a "connection". I've been using the src field for notices that only reference a single host too although ultimately I don't think that's a good thing. We should probably add a host field for cases where only a single host is being referred to in the notice.

.Seth

Topic		Replies	Views
Notice::Info$src Development development	3	80	May 6, 2022
Field value missing Zeek	5	204	May 6, 2022
sanity check in bro Zeek	1	68	May 6, 2022
conn.log question Zeek	4	85	May 6, 2022
fields in the conn.log Zeek	1	141	May 6, 2022

Question about fields in the notice log

Related topics