Summary Reports and service listing

Vlad_Grigorescu2 · September 20, 2013, 1:39pm

The service field in conn.log (and in those summary reports) is the result of Bro's dynamic protocol detection (DPD). One of Bro's protocol analyzers has confirmed that the traffic seen is that protocol.

If you look in conn.log, you should be able to see if the 514 traffic is TCP or UDP. Bro doesn't have a TCP syslog analyzer right now. If it's UDP, something is sending malformed syslog.

--Vlad

Harry_Hoffman · September 20, 2013, 1:48pm

Hey Vlad,

It's udp and the traffic is syslog.

I have rsyslog listening on my network and traffic is making it from the
network devices to my syslog server so I don't think it's malformed.

Bro even has the syslog files in its log directory which is why I
thought it odd that things weren't being reported correctly.

Thoughts on where to look next?

Cheers,
Harry

Topic		Replies	Views
new bro "CURRENT" release - 0.8a57 Zeek	2	206	May 6, 2022
"Faking" connections and http records Zeek	4	76	May 6, 2022
Something is not clear to me concerning reporting Zeek	7	73	May 6, 2022
unmatched_HTTP_reply in weird.log Zeek	2	107	May 6, 2022
new bro "CURRENT" release - 0.8a57 Zeek	2	89	May 6, 2022

Summary Reports and service listing

Related topics