tx_hosts and rx_hosts in files.log

Ali_Hadi · May 30, 2015, 7:16pm

Hi,

If you use the PCAP below and analyze it using Bro:
https://www.bro.org/static/traces/email.pcap

Then when checking the files.log, the tx_hosts is supposed to show the host who transmitted the file, and rx_hosts is for the host who received the file based on Bro’s documentation: https://www.bro.org/sphinx-git/scripts/base/frameworks/files/main.bro.html

If you do the following:
cat files.log | bro-cut fuid tx_hosts rx_hosts | grep

You’ll get that the TX Host IP (SrcIP) is 192.168.121.176 and not 192.168.121.179 !!!

Is there something I’m doing wrong, or has bro switched their positions in the output?

Thanks in advance,

Ali

Vlad_Grigorescu1 · May 31, 2015, 9:35pm

Thanks for the bug report. Looks like this comes from the assumption made here:

https://github.com/bro/bro/blob/master/src/analyzer/protocol/mime/MIME.cc#L1459

–Vlad

Ali_Hadi · June 1, 2015, 10:07am

You’re welcome. Hope it will be corrected soon.

robin · June 1, 2015, 2:25pm

Please file a ticket with our tracker.

Robin

Ali_Hadi · June 1, 2015, 6:44pm

Okay Robin, it’s done.

usman_shafique · June 2, 2015, 4:09am

can any one tell me how to analyze dynamic protocol in bro i am beginner i just understand bro scripting and how to run please give me simple example thanks

Regards
USman

Topic		Replies	Views
surgical file extraction Zeek	8	122	May 6, 2022
Bro Not Extracting Host Fields from HTTP Traffic Zeek	4	91	May 6, 2022
Is it applicapable to specific target ip using command line in bro? Zeek	7	96	May 6, 2022
check rx and tx hosts for files Zeek	3	82	May 6, 2022
Help with searching logs Zeek	15	106	May 6, 2022

tx_hosts and rx_hosts in files.log

Related topics