[Bro] L flag in conn log

scott sakai ssakai at sdsc.edu
Wed Dec 19 19:37:45 PST 2007


Have the semantics of the "L" flag in the conn log been changed?

>From http://www.bro-ids.org/wiki/index.php/Reference_Manual:_Analyzers_and_Events#Connection_summaries:

Line format:
-----
<start> <duration> <local IP> <remote IP> <service> <local port> \
<remote port> <protocol> <org bytes sent>, <res bytes sent> <state> \
<flags> <tag>
-----

and 

-----
L indicates that the connection was initiated locally, i.e., the host corresponding to A_l initiated the connection. If L is missing, then the host corresponding to A_r initiated the connection.
-----

However, this does not seem to agree with what I see in the conn log.  When interpreted this way, I see strange stuff like a web server making outbound connections from port 80 to some high numbered port.  This is even more confusing when trying to figure out which host is portscanning and which one is being scanned.

The correct line format seems to be <start> <duration> <originating IP> <responding IP> <service> <originating port> <responding port>...  Can anyone confirm this?  

conn.bro, line 275 suggests that this is the case:

-----
local log_msg =
                fmt("%.6f %s %s %s %s %d %d %s %s %s %s %s",
  c$start_time, duration, id$orig_h, id$resp_h, s,
-----

However, I'd like to make sure that it is.

Thanks.







More information about the Bro mailing list