[Bro] fields in the conn.log
Jason Lee
jrlee at lbl.gov
Fri Jul 22 12:17:55 PDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Angelita,
http://www.bro-ids.org/Bro-reference-manual/Connection-summaries.html
Explains how the fields are structured, but its a little out of date.
I'll fill in the missing parts and see that the manual gets updated.
Given a line like this from the conn.log:
1122055977.662564 0.105927 10.1.1.1 10.2.2.2 http 55985 80 tcp 735 12946 SF L %71
Unix Date/time: 1122055977.662564
Duration of the connection: 0.105927
Originator IP: 10.1.1.1
Responder IP: 10.2.2.2
Protocol: http
Originator port: 55985
Responder port: 80
Transport Protocol: tcp
Originator bytes sent: 735
Responder bytes sent: 12946
Flags: SF (Normal connection saw both SYN and FIN packets)
Additional Flags: L (connection was initiated locally)
Tag: %71
Now I can take my tag, and look in the http.log to
find out more about that connection (i'm running the
http analyzer):
http.log looks like this (example):
1121793380.980924 %71 start 10.1.1.1 > 10.2.2.2
1121793380.985317 %71 GET /foo/bar/baz.html (200 "OK" [145])
Having said all this, the alarm.log is very different, its
a 'tagged' format that is fairly self descriptive. This is
an example from the alarm.log file:
t=1000057981.940712 no=AddressScan na=NOTICE_ALARM_ALWAYS sa=10.1.1.1 sp=2222/tcp da=10.2.2.2 dp=3333/tcp msg=10.1.1.1\ has\ scanned\ 2000\ hosts\ (3333/tcp
) tag=@42
t: time
no: notice
na: notice action
sa: source address
sp: source port
da: destination address
dp: destination port
msg: message (in this case a host has scanned 20 hosts)
tag: identifier to match this to lines in notice.log and conn.log:
Now you can take the tag and look in the conn.log to find the connection (with grep):
1000057956.062082 ? 10.1.1.1 10.2.2.2 other 2222 3333 tcp ? ? S0 X @142
(we can see that it didn't connect and no bytes were transfered)
Also there is a good section in the manual about alarms:
http://www.bro-ids.org/Bro-user-manual/Analysis-of-Incidents-and-Alarms.html#Analysis-of-Incidents-and-Alarms
That should help explain the sort ids.
Hope this helps.
Cheers,
jason
Angelita de Cássia Corrêa wrote:
> Hi Jason,
>
> I need to understand more the alert, the definition of each column.
>
> In your example, could you explain me what each column means?
>
> *Sep 18 06:51:41 0.153497 131.243.2.87 131.243.2.13 http 2077 80 tcp 66
> 239 RSTO X %14*
> Sep 18 06:51:41 0.162454 131.243.2.87 131.243.2.13 http 2087 80 tcp 70
> 604 RSTO X %14
> Sep 18 06:51:42 0.153911 131.243.2.87 131.243.2.13 http 2100 80 tcp 80
> 604 RSTO X %14
> Sep 18 06:51:42 0.165501 131.243.2.87 131.243.2.13 http 2115 80 tcp 80
> 604 RSTO X %14
> *Date/time:* Sep 18 06:51:42
> *Duration of de connection:* 0.153497
> *Origin IP*: 131.243.2.87
> *Victim IP*: 131.243.2.13
> *Victim Protocol:* http
> *???: 2077*
> *Victim Port:* 80
> *Transport Protocol:* tcp
> *???: 66*
> *???: 239 *** (is this the alert SID0?)*
> *???: RSTO*
> *???: X*
> *???: %14*
>
>
> Does the bro use SID to identify the alert description?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFC4UZi37vOcEqHLkARAhkpAJ9kMmtwe8hrvMQ9J81Sj4x/s4Su1QCfZdVK
4LR1TMRj8dxXFplZPlZq3Ps=
=2q+C
-----END PGP SIGNATURE-----
More information about the Bro
mailing list