[Bro] Connections in conn.log
anastasakis62 at gmail.com
Thu May 18 08:31:33 PDT 2017
I have a question regarding how the connections are created in conn.log.
I thought that the combination tuple o (src_ip, src_port, dest_ip,
dest_port)was used to define one connection but this is not the case.
>From my conn.log file I have 6 connections with 6 unique different uids but
with the same exact combination tuple mentioned above.
The first connection is the one that establishes the ssl connection and the
other 5 are identified as *OTH *which is No *SYN seen, just midstream
traffic (a “partial connection” that was not later closed).*
Are they not all included in the same connection because bro did not
identify the ssl connection closing? If so, does this mean that bro
considers a flow as a unique connection if there is a problem protocol
beggining and ending?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro