Hello,
I’m fairly new to Bro so please excuse my ignorance.
I’m looking through logs from the Tunnel::LOG analyzer and am seeing that many records do not have UIDs. I would have thought that every session would get a UID and am wondering why there would be records without them.
Thank you for your help,
Luis Jimenez
Hello Luis,
I'm looking through logs from the Tunnel::LOG analyzer and am seeing that
many records do not have UIDs. I would have thought that every session
would get a UID and am wondering why there would be records without them.
As far as I am aware, this is currently the case with Socks and HTTP
tunnels. The reasoning there is, that in these case, the tunnel (from the
source machine to the http or socks proxy) will use many different
connections, which together form the tunnel. In this case (many
connections forming a tunnel), no singular connection ID, over which the
traffic is sent, can be logged. Instead, the log-file will contain the
source IP address, a source port of 0, the destination IP address and the
destination port to show the tunnel source (with unspecified port) and the
server destination IP and port.
I hope this helps,
Johanna