[Bro] A strange connection
mlaterma at ucalgary.ca
Sun Jan 25 06:58:19 PST 2015
I recently saw the same thing in my logs. It's because orig_bytes and resp_bytes use sequence numbers to find bytes transferred; you are seeing the sequence number rollover. orig_ip_bytes and resp_ip_bytes should have the correct values of bytes (with TCP headers).
Michel On Jan 25, 2015 7:40 AM, Balasubramaniam Natarajan <bala150985 at gmail.com> wrote:
> On Sun, Jan 25, 2015 at 6:12 PM, Po-Ching Lin <pachinko.tw at gmail.com> wrote:
>> 1419498119.991707 CLQP0QdahFaFha0U2 140.x.x.x 58967 66.171.248.x 80 tcp http 253.220343 114502461 592490922 SF T 114502154
>> ShADadfF 5 519 6 578 (empty)
> Is this by any chance a SF scan ? If this were a normal connection won't we be seeing an Ack Flag, Push Flag in addition to the SF noted above ?
> Balasubramaniam Natarajan
More information about the Bro