tx_hosts and rx_hosts switched in files.log

Description

Hi,

_Based on Robin's request I opened this ticket.
_
If you use the PCAP below and analyze it using Bro:
https://www.bro.org/static/traces/email.pcap

Then when checking the files.log, the tx_hosts is supposed to show the host who transmitted the file, and rx_hosts is for the host who received the file based on Bro's documentation: https://www.bro.org/sphinx-git/scripts/base/frameworks/files/main.bro.html

If you do the following:
cat files.log | bro-cut fuid tx_hosts rx_hosts | grep <ID OF THE LEAKED PDF FILE>

You'll get that the TX Host IP (SrcIP) is 192.168.121.176 and not 192.168.121.179 !!!

It seems that Bro switched their positions in the output. I found this in an assignment given to my students, and one of them gave me a result completely different. So when I double checked with Wireshark, I found that the IPs have been switched by Bro.

Hope this helps.
Ali

Environment

Linux Ubuntu

Assignee

Robin Sommer

Reporter

Ali Hadi

Labels

External issue ID

None

Components

Fix versions

Priority

High
Configure