[Bro] Connection summary email inaccuracies
Siwek, Jonathan Luke
jsiwek at illinois.edu
Wed Aug 28 10:30:48 PDT 2013
> Netstat doesn't indicate any dropped packets, and conn.log doesn't
> indicate any missed_bytes. Can anyone shed some light on why bro could
> be so wrong about these statistics? Would it matter that I am using a
> single instance of bro to monitor two interfaces (bro -i em0 -i em1)?
The interface thing shouldn't matter. What version of Bro are you using? I think there was some race in how log rotation postprocessing occurred that was fixed in git  that may be a cause for what you're seeing. So you might try testing from git sources as a first step to see if suddenly the summary starts looking correct.
Else the approach to finding where it's going wrong would be: Does conn.log look correct? If no, then it's a Bro problem. If yes, then it's a problem with how conn.log is parsed by $prefix/bin/trace-summary or how that python script is invoked by BroControl. You should be able to run that trace-summary script manually on one of your conn.log's to see if it actually gives sane output. That looks like:
PYTHONPATH=/usr/local/bro/lib/broctl/ /usr/local/bro/bin/trace-summary -c -r -l /usr/local/bro/etc/networks.cfg conn.log
Doing a quick test myself I don't think I see anything overtly wrong, though there's some warnings from it that make me think payload may be under-reported. Another weird thing is that if a connection is between two "local" hosts specified in networks.cfg, that's categorized as "outgoing", not "incoming".
More information about the Bro