[Bro-Dev] timer delays between different events for same connection
Seth Hall
seth at corelight.com
Fri Apr 13 04:46:33 PDT 2018
On 13 Apr 2018, at 0:30, Aashish Sharma wrote:
> So I am seeing some weird stuff in my sample pcap of scanners. May be
> too
> obvious and I am just not seeing why/how of it.
It's a straight forward answer but not completely obvious. :)
> Q. Why would connection_attempt event kick in after 36 minutes and 6
> seconds ? (
> 06:13:48 - 05:37:42 ) ?
I bet that you have a jump in timestamps in your pcap. Since Bro's
internal clock is driven forward by seeing timestamps associated with
packets it's possible that your pcap has a 36 minute jump in timestamps
so Bro couldn't have possibly expired anything in the time before that
because from its perspective there was an immediate jump in time. You
don't normally experience the effects of this behavior in traffic you're
sniffing live because you will tend to have many packets every second so
you see Bro's clock driven forward in very tiny increments as you would
expect. If you go a long time without receiving a packet is when stuff
gets tricky.
.Seth
--
Seth Hall * Corelight, Inc * www.corelight.com
More information about the bro-dev
mailing list