[Bro] fields in the conn.log

Jason Lee jrlee at lbl.gov
Fri Jul 22 12:17:55 PDT 2005


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Angelita,

http://www.bro-ids.org/Bro-reference-manual/Connection-summaries.html

Explains how the fields are structured, but its a little out of date.
I'll fill in the missing parts and see that the manual gets updated.

Given a line like this from the conn.log:

1122055977.662564 0.105927 10.1.1.1 10.2.2.2 http 55985 80 tcp 735 12946 SF L %71

 Unix Date/time: 1122055977.662564
 Duration of the connection: 0.105927
 Originator IP: 10.1.1.1
 Responder IP: 10.2.2.2
 Protocol: http
 Originator port: 55985
 Responder port: 80
 Transport Protocol: tcp
 Originator bytes sent: 735
 Responder bytes sent: 12946
 Flags: SF  (Normal connection saw both SYN and FIN packets)
 Additional Flags: L (connection was initiated locally)
 Tag: %71

 Now I can take my tag, and look in the http.log to
 find out more about that connection (i'm running the
 http analyzer):

 http.log looks like this (example):
 1121793380.980924 %71 start 10.1.1.1 > 10.2.2.2
 1121793380.985317 %71 GET /foo/bar/baz.html (200 "OK" [145])


 Having said all this, the alarm.log is very different, its
 a 'tagged' format that is fairly self descriptive. This is
 an example from the alarm.log file:

 t=1000057981.940712 no=AddressScan na=NOTICE_ALARM_ALWAYS sa=10.1.1.1 sp=2222/tcp da=10.2.2.2 dp=3333/tcp msg=10.1.1.1\ has\ scanned\ 2000\ hosts\ (3333/tcp
) tag=@42

 t: time
 no: notice
 na: notice action
 sa: source address
 sp: source port
 da: destination address
 dp: destination port
 msg: message (in this case a host has scanned 20 hosts)
 tag: identifier to match this to lines in notice.log and conn.log:

 Now you can take the tag and look in the conn.log to find the connection (with grep):

 1000057956.062082 ? 10.1.1.1 10.2.2.2 other 2222 3333 tcp ? ? S0 X  @142
 (we can see that it didn't connect and no bytes were transfered)


 Also there is a good section in the manual about alarms:
 http://www.bro-ids.org/Bro-user-manual/Analysis-of-Incidents-and-Alarms.html#Analysis-of-Incidents-and-Alarms

 That should help explain the sort ids.

 Hope this helps.
 Cheers,
 jason



Angelita de Cássia Corrêa wrote:
> Hi Jason,
>  
> I need to understand more the alert, the definition of each column.
>  
> In your example, could you explain me what each column means?
>  
> *Sep 18 06:51:41 0.153497 131.243.2.87 131.243.2.13 http 2077 80 tcp 66
> 239 RSTO X %14*
> Sep 18 06:51:41 0.162454 131.243.2.87 131.243.2.13 http 2087 80 tcp 70
> 604 RSTO X %14
> Sep 18 06:51:42 0.153911 131.243.2.87 131.243.2.13 http 2100 80 tcp 80
> 604 RSTO X %14
> Sep 18 06:51:42 0.165501 131.243.2.87 131.243.2.13 http 2115 80 tcp 80
> 604 RSTO X %14
> *Date/time:* Sep 18 06:51:42
> *Duration of de connection:* 0.153497
> *Origin IP*: 131.243.2.87
> *Victim IP*: 131.243.2.13
> *Victim Protocol:* http
> *???: 2077*
> *Victim Port:* 80
> *Transport Protocol:* tcp
> *???: 66*
> *???: 239  *** (is this the alert SID0?)*
> *???: RSTO*
> *???: X*
> *???: %14*
>  
>  
> Does the bro use SID to identify the alert description?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC4UZi37vOcEqHLkARAhkpAJ9kMmtwe8hrvMQ9J81Sj4x/s4Su1QCfZdVK
4LR1TMRj8dxXFplZPlZq3Ps=
=2q+C
-----END PGP SIGNATURE-----



More information about the Bro mailing list