[Bro] long SSH connection in conn.log

Johanna Amann johanna at icir.org
Tue Sep 15 09:18:54 PDT 2015

Hello Sven,

you are probably running into internal Bro timeouts here. Generally, since
Bro can only use limited amounts of RAM, Bro automatically times out
connections after it does not see any activity (exchanged packets) for a
specified period of time. For TCP, this is generally 5 minutes, defined in

Since interactive protocols tend to have longer periods of time where we
might not see any exchanged connections, Bro has special settings for them
- in base/protocols/conn/inactivity.bro the timeout for identified SSH
sessions is set to 1 hour. However, if your session does not exchange any
packets for more than one hour, Bro will assume that it has been closed
and just not seen the packets closing the connection. Everything following
will be regarded as a new connection - and in your case fall under the
default 5 minute timeout since it cannot reliably be identified as SSH.

This is a generic problem - you have to just assume that connections are
terminated after you did not see any exchanged data for a specified period
of time. In case the current Bro settings do not work for you, you can
redef them.

I hope that helps,

On Fri, Sep 04, 2015 at 12:08:56AM +0200, Sven Dreyer wrote:
> Dear list,
> I started an SSH connection in my LAN on 3:32pm which lasted until 
> 07:04pm - so we're talking about an SSH session lasting 3 1/2 hours.
> In my conn.log files, I find this single SSH connection as 5 connections:
> 1)   conn_state S1, service ssh
> 2-4) conn_state OTH, service -
> 5)   conn_state SF, service -
> Bro was started before the SSH connection was initiated, so I'd expect a 
> single conn.log entry to be written when I disconnect. Or did I get 
> something wrong here?
> Thanks!
> Sven
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list