Hi list,
Is there a way to tell bro to generate log events (specifically smtp.log) from partial sessions?
I have a system that periodically feeds packet capture files through bro in order to generate its log data. I recently discovered that much of my smtp traffic was not showing up in the smtp.log. The segment in question is doing long-running bulk email transfers, resulting in the capture file seldom having SYN or FIN flagged packets, only PUSH and ACK flags. (This is due to the capture file rotation time being shorter than the MTA sessions).
Thanks!