[Bro] lack of seen_bytes
seth at corelight.com
Fri Sep 29 07:14:52 PDT 2017
On 28 Sep 2017, at 13:57, Stephen Reese wrote:
> I have been experiencing hash misses so to speak with PE files due to
> lack of seen_bytes verse total_bytes. Is this indication of a
> performance problem which the sensor is overwhelmed therefore cannot
> parse the entire file?
Those numbers can be really tricky. If a protocol indicates how much
data it's going to transfer or how big the file is, Bro will know the
total_bytes. There are a number of cases where total_bytes isn't even
known. It's also possible that Bro is tracking files that aren't even
being transferred in their entirety. Over SMB, you will very frequently
see portions of files transferred where Bro never even had an
opportunity to see the whole file.
What may help next is if you look at the conn log for the connections
where you are seeing files transferred to see if the missed_bytes on
that connection is greater than zero. That should tell you if there was
any packet loss in the connection which could also cause some bizarre
behavior as you're describing.
If you could provide a conn log entry and files log entry where you are
seeing the problem, that would be the fastest way to figure out what
happening (please just mask out ip addresses).
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Bro