[Bro] Connection lasts huge time

Rotondo Simone simone.rotondo at aizoongroup.com
Tue Jul 5 08:30:15 PDT 2016


Hi,
in my Bro logs, I have some connections that lasts 6 hours and more.
Those conns use different services:

------------------------
conn.13:00:00-14:00:00.log.gz:{"ts":1466403937.471482,"uid":"CNLOdrb4ss9hRDDgg","id.orig_h":"XXX.XXX.XXX.XXX","id.orig_p":XXXXX,"id.resp_h":"XXX.XXX.XXX.XXX","id.resp_p":3268,"proto":"tcp","duration":16980.700023,"orig_bytes":299358,"resp_bytes":258817,"conn_state":"S1","local_resp":false,"missed_bytes":58394,"history":"ShADad","orig_pkts":485,"orig_ip_bytes":287130,"resp_pkts":243,"resp_ip_bytes":241795,"tunnel_parents":[],"local_origi":"T4","local_respo":"F4"}

------------------------
conn.14:00:00-15:00:00.log.gz:{"ts":1466404357.492809,"uid":"CA7q9dl7q5ZbTDRXa","id.orig_h":"XXX.XXX.XXX.XXX","id.orig_p":XXXXX,"id.resp_h":" XXX.XXX.XXX.XXX","id.resp_p":443,"proto":"tcp","service":"ssl","duration":22774.467724,"orig_bytes":341462,"resp_bytes":402631,"conn_state":"S1","local_resp":true,"missed_bytes":51675,"history":"ShADda","orig_pkts":921,"orig_ip_bytes":353314,"resp_pkts":2058,"resp_ip_bytes":458288,"tunnel_parents":[],"from_known_services":["SSL"],"local_origi":"T4","local_respo":"T4"}
+++++
ssl.08:00:00-09:00:00.log.gz:{"ts":1466404357.495789,"uid":"CA7q9dl7q5ZbTDRXa","id.orig_h":"XXX.XXX.XXX.XXX","id.orig_p":XXXXX,"id.resp_h":"XXX.XXX.XXX.XXX","id.resp_p":443,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","server_name":"mail.xxxxxx.xxx","resumed":true,"established":true}

------------------------
conn.14:00:00-15:00:00.log.gz:{"ts":1466404268.700607,"uid":"Czvp3U1saSEh9powDh","id.orig_h":"XXX.XXX.XXX.XXX","id.orig_p":XXXXX,"id.resp_h":"XXX.XXX.XXX.XXX","id.resp_p":443,"proto":"tcp","service":"ssl","duration":21422.058832,"orig_bytes":2158,"resp_bytes":122049,"conn_state":"RSTO","local_resp":true,"missed_bytes":3254,"history":"ShADdaR","orig_pkts":411,"orig_ip_bytes":18610,"resp_pkts":836,"resp_ip_bytes":152247,"tunnel_parents":[],"from_known_services":["SSL"],"local_origi":"T4","local_respo":"T4"}
+++++
ssl.08:00:00-09:00:00.log.gz:{"ts":1466404268.70101,"uid":"Czvp3U1saSEh9powDh","id.orig_h":"XXX.XXX.XXX.XXX","id.orig_p":XXXXX,"id.resp_h":"XXX.XXX.XXX.XXX","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","curve":"secp384r1","server_name":"mail.xxxxx.xxx","resumed":false,"established":true,"cert_chain_fuids":["XXXXXXXXXXXXXXXXX","XXXXXXXXXXXXXXXXXXX"],"client_cert_chain_fuids":[],"subject":"emailAddress=hostmaster at xxxxxx.xx,CN=mail.xxxxxxx.xxx,O=XXXXXXX,...}


Have you got any idea about this issue?

BR
Simone
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160705/a682af1b/attachment.html 


More information about the Bro mailing list