[Bro] Problem with connections in S1 and SF state

Sven Dreyer sven at dreyer-net.de
Thu Dec 3 12:41:10 PST 2015


thank you very much for your reply.

I ran the command you mentioned for my pcap file and checked the 
conn.log written in my current directory. But this does not seem to 
change anything, source and destination for the connection I was 
watching at are still twisted.

Best regards, Sven

Am 25.11.2015 um 14:08 schrieb derek at criticalstack.com:
> Sven,
> Try running the pcap through your local policy scripts and check the
> output:
> bro -r file.pcap local
> I don't otherwise have a specific clue why this could happen, but it's
> best to compare the same process.
> -Derek
>> From: Sven Dreyer
>> Sent: Thursday, November 19, 10:34
>> Subject: Re: [Bro] Problem with connections in S1 and SF state
>> To: bro at bro.org, Azoff, Justin S
>> Justin, thanks for the hint. I should indeed have checked the history
>> field. But even for connections that do not start with d or D in the
>> history field, I see the same behaviour. Source and destination is
>> still twisted: 1447675087.121817 CjRCD61gNErucciPb8 87.144.16.xxx
>> 50993 192.168.100.yyy 26577 tcp ssl 83.596659 1432 2619 S1 F T 0
>> ShADad 18 2164 15 3231 (empty) Bro is configured to listen to a bridge
>> interface (br0). But I also have running a dumpcap process writing all
>> packets to pcap files. Interestingly, if I feed the corresponding pcap
>> file to bro (bro -r file.pcap), I get source and destination in the
>> right order: 1447675087.121817 C2AvJf3WgcdiBlYfS4 192.168.100.yyy
>> 26577 87.144.16.xxx 50993 tcp ssl 83.596659 1432 2619 S1 - - 0 ShADad
>> 18 2164 15 3231 (empty) Does anybody have an explanation for this?
>> Thanks, Sven Am 17.11.2015 um 21:53 schrieb Azoff, Justin S: > You
>> should really be looking at the history field: > > history: string
>> &log &optional > Records the state history of connections as a string
>> of letters. The meaning of those letters is: > > Letter Meaning > s a
>> SYN w/o the ACK bit set > h a SYN+ACK (“handshake”) > a a pure ACK > d
>> packet with payload (“data”) > f packet with FIN bit set > r packet
>> with RST bit set > c packet with a bad checksum > i inconsistent
>> packet (e.g. SYN+RST bits both set) > If the event comes from the
>> originator, the letter is in upper-case; if it comes from the
>> responder, it’s in lower-case. Multiple packets of the same type will
>> only be noted once (e.g. we only record one “d” in each direction,
>> regardless of how many data packets were seen.) > > So any connection
>> that starts with D or d means bro missed the initial syn handshake
>> (Sh) > > _______________________________________________ Bro mailing
>> list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list