[Bro] Connection summary email inaccuracies

Siwek, Jonathan Luke jsiwek at illinois.edu
Wed Aug 28 10:30:48 PDT 2013


> Netstat doesn't indicate any dropped packets, and conn.log doesn't
> indicate any missed_bytes. Can anyone shed some light on why bro could
> be so wrong about these statistics? Would it matter that I am using a
> single instance of bro to monitor two interfaces (bro -i em0 -i em1)?

The interface thing shouldn't matter.  What version of Bro are you using?  I think there was some race in how log rotation postprocessing occurred that was fixed in git [1] that may be a cause for what you're seeing.  So you might try testing from git sources as a first step to see if suddenly the summary starts looking correct.

Else the approach to finding where it's going wrong would be:  Does conn.log look correct?  If no, then it's a Bro problem.  If yes, then it's a problem with how conn.log is parsed by $prefix/bin/trace-summary or how that python script is invoked by BroControl.  You should be able to run that trace-summary script manually on one of your conn.log's to see if it actually gives sane output.  That looks like:

    PYTHONPATH=/usr/local/bro/lib/broctl/ /usr/local/bro/bin/trace-summary -c -r -l /usr/local/bro/etc/networks.cfg conn.log

Doing a quick test myself I don't think I see anything overtly wrong, though there's some warnings from it that make me think payload may be under-reported.  Another weird thing is that if a connection is between two "local" hosts specified in networks.cfg, that's categorized as "outgoing", not "incoming".

- Jon

[1] https://bro-tracker.atlassian.net/browse/BIT-970



More information about the Bro mailing list