[Bro] Definition of a connection in conn.log
navraj42 at gmail.com
Fri Mar 25 19:48:04 PDT 2016
Thanks Johanna! This helps a lot.
On Fri, Mar 25, 2016 at 10:58 AM, Johanna Amann <johanna at icir.org> wrote:
> let me try to give a few quick answers to your question.
> On Tue, Mar 22, 2016 at 03:00:25PM -0600, Navraj Singh wrote:
> > 1. Is it safe to assume that any given packet will be assigned to at most
> > one connection, and thus to at most one row in conn.log?
> No - there is a special case for tunnels, where a connection can be the
> parent of another connection (the child shows its parent in the
> tunnel_parents field of conn.log). In that case, the packet is assigned to
> both the child and the parent.
> > 2. Why is it that some rows in conn.log do not have the duration field
> > I see see several row with a '-' in the duration field.
> That should mean that the duration was "0" (e.g. single packet), if I am
> not mistaken.
> > 3. The bro documentation states that "For UDP and ICMP, “connections” are
> > to be interpreted using flow semantics (sequence of packets from a source
> > host/port to a destination host/port)." However, what is the exact
> > definition for a TCP flow? How does Bro decide which packets to include
> > a connection?
> That s a not quite straightforward to answer question. Generally Bro
> counts connections a 5-tuples; however, there are several timeouts at work
> (after no packets were arrived for a certain amount of time, a connection
> is seen as finished; if theree are new packets, a new connection will
> begin). For TCP, a connection also can be ended by fin and rst packets,
> and a new connection will begin afterwards.
> The timeouts are set using configuration variables - e.g. the default
> tcp_inactivity_timeout, after which a TCP connection is considered closed
> when no more packets are seen is 5 minutes. For UDP, it is 1 minute. For
> ICMP it also is one minute.
> > 4. For an ongoing 'connection', does Bro wait until the connection is
> > before logging it? What if the connection is quite long in
> > that cause a lag? Or does Bro automatically chop up long flows based on
> > some configurable limit parameter?
> Yup. And you are right, it will cause a lag in logging.
> I hope this helps,
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro