[Bro] BRO conn.log - connection flow direction wrong - non standard telnet port connection
Konrad Weglowski
knrd at rogers.com
Sun Nov 3 19:34:43 PST 2013
Hello Seth,
Thanks for looking into this.
I do not have notice.log file created in that particular timeframe. Also I
see that capture_loss.log files are there...see output below:
Session reported wrong direction:
zcat conn.00\:00\:00-01\:00\:00.log.gz | bro-cut -d ts uid proto conn_state
history | grep BuR4quUCRKe
2013-11-03T00:41:24+0000 BuR4quUCRKe tcp SH Fa
Capture_loss log file for the same timeframe as above:
zcat capture_loss.00\:00\:00-01\:00\:00.log.gz | bro-cut -d
2013-11-03T00:11:59+0000 900.000034 bro 0 669214
0.000%
2013-11-03T00:26:59+0000 900.000020 bro 0 675273
0.000%
2013-11-03T00:41:59+0000 900.000052 bro 0 672973
0.000%
2013-11-03T00:56:59+0000 900.000032 bro 0 681093
0.000%
I had to look at a data from different timeframe as my BRO logs got deleted
from the time frame I referenced in the original email.
Thanks,
Konrad
-----Original Message-----
From: Seth Hall [mailto:seth at icir.org]
Sent: October-30-13 10:21 AM
To: Konrad Weglowski
Cc: bro at bro.org
Subject: Re: [Bro] BRO conn.log - connection flow direction wrong - non
standard telnet port connection
On Oct 29, 2013, at 6:36 PM, Konrad Weglowski <knrd at rogers.com> wrote:
> Just to give some context, we have a script running which telnets to
multiple devices and polls certain variables and exits on a non-standard
telnet ports.
Are you dropping a lot of packets? It looks like Bro isn't seeing the
beginning of these connections (syn packets) which makes it nearly
impossible to determine the direction without guessing. Bro's current
strategy for "fixing" reversed connections like this is by consulting the
likely_server_ports variable but since it sounds like you are using
non-standard ports it's unlikely that this would work.
I think the big question we need to answer is why you aren't seeing the SYN
packets. Check for PacketFilter::Dropped_Packets notices in your notice.log
and add "@load misc/capture-loss" to your local.bro script so that you will
have a capture_loss.log which will give a holistic measurement of packet
loss.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4158 / Virus Database: 3615/6806 - Release Date: 11/03/13
More information about the Bro
mailing list