[Bro] BRO conn.log - connection flow direction wrong - non standard telnet port connection

Konrad Weglowski knrd at rogers.com
Tue Oct 29 15:36:17 PDT 2013 

Hello,

 

I am pretty new user of BRO and use it as a part of the Security Onion
distributions. I currently came across a problem which I was hoping one of
you might be able to help with.

 

When looking at some telnet connections on a non-standard TCP port I noticed
that some data flows are reported in the wrong direction. When checked the
conn.log files, all the entries in question had the same characteristics
below:

 

1. They would only appear in the archive (gzip) conn.*.log.zip files - not
the current conn.log file.

2. Entries would always be at the beginning of the zipped conn.*.log.zip
file 

3. Conn_State field would say RSTR 4. History field would be DaFr (on most
of them)

 

Below are some examples, as you can see the file name reflects from/to
date/time, and the characteristics of the entries in question where flow
direction is reversed are below:

 

zcat conn.16:27:17-17:00:00.log.gz | bro-cut -d ts proto conn_state history
| grep RSTR

2013-10-25T16:27:12+0000        tcp     RSTR    DaFr

2013-10-25T16:27:12+0000        tcp     RSTR    DaFr

2013-10-25T16:27:12+0000        tcp     RSTR    DaFr

<snip>

 

zcat conn.18:36:28-19:00:00.log.gz | bro-cut -d ts proto conn_state history
| grep RSTR

2013-10-25T18:36:23+0000        tcp     RSTR    DaFr

2013-10-25T18:36:23+0000        tcp     RSTR    DaFr

2013-10-25T18:36:23+0000        tcp     RSTR    DaFr

<snip>

 

zcat conn.18:36:28-19:00:00.log.gz | bro-cut -d ts proto conn_state history
| grep RSTR

2013-10-25T18:36:23+0000        tcp     RSTR    DaFr

2013-10-25T18:36:23+0000        tcp     RSTR    DaFr

2013-10-25T18:36:23+0000        tcp     RSTR    DaFr

<snip>

 

It almost seems that when conn.log file is being divided up and zipped this
happens.

 

Just to give some context, we have a script running which telnets to
multiple devices and polls certain variables and exits on a non-standard
telnet ports.

 

Thanks,

 

Konrad

 

  _____  

No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4158 / Virus Database: 3615/6790 - Release Date: 10/29/13

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131029/f3d56d86/attachment.html

More information about the Bro mailing list