[Bro] BRO conn.log - connection flow direction wrong - non standard telnet port connection

Konrad Weglowski knrd at rogers.com
Sun Nov 3 19:34:43 PST 2013


Hello Seth,

Thanks for looking into this.

I do not have notice.log file created in that particular timeframe. Also I
see that capture_loss.log files are there...see output below:

Session reported wrong direction:

zcat conn.00\:00\:00-01\:00\:00.log.gz | bro-cut -d ts uid proto conn_state
history | grep BuR4quUCRKe
2013-11-03T00:41:24+0000        BuR4quUCRKe     tcp     SH      Fa

Capture_loss log file for the same timeframe as above:

zcat capture_loss.00\:00\:00-01\:00\:00.log.gz | bro-cut -d
2013-11-03T00:11:59+0000        900.000034      bro     0       669214
0.000%
2013-11-03T00:26:59+0000        900.000020      bro     0       675273
0.000%
2013-11-03T00:41:59+0000        900.000052      bro     0       672973
0.000%
2013-11-03T00:56:59+0000        900.000032      bro     0       681093
0.000%


I had to look at a data from different timeframe as my BRO logs got deleted
from the time frame I referenced in the original email.

Thanks,

Konrad



-----Original Message-----
From: Seth Hall [mailto:seth at icir.org] 
Sent: October-30-13 10:21 AM
To: Konrad Weglowski
Cc: bro at bro.org
Subject: Re: [Bro] BRO conn.log - connection flow direction wrong - non
standard telnet port connection


On Oct 29, 2013, at 6:36 PM, Konrad Weglowski <knrd at rogers.com> wrote:

> Just to give some context, we have a script running which telnets to
multiple devices and polls certain variables and exits on a non-standard
telnet ports.

Are you dropping a lot of packets?  It looks like Bro isn't seeing the
beginning of these connections (syn packets) which makes it nearly
impossible to determine the direction without guessing.  Bro's current
strategy for "fixing" reversed connections like this is by consulting the
likely_server_ports variable but since it sounds like you are using
non-standard ports it's unlikely that this would work.

I think the big question we need to answer is why you aren't seeing the SYN
packets.  Check for PacketFilter::Dropped_Packets notices in your notice.log
and add "@load misc/capture-loss" to your local.bro script so that you will
have a capture_loss.log which will give a holistic measurement of packet
loss.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/



-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4158 / Virus Database: 3615/6806 - Release Date: 11/03/13




More information about the Bro mailing list