[Bro] BRO conn.log - connection flow direction wrong - non standard telnet port connection
Konrad Weglowski
knrd at rogers.com
Tue Oct 29 15:36:17 PDT 2013
Hello,
I am pretty new user of BRO and use it as a part of the Security Onion
distributions. I currently came across a problem which I was hoping one of
you might be able to help with.
When looking at some telnet connections on a non-standard TCP port I noticed
that some data flows are reported in the wrong direction. When checked the
conn.log files, all the entries in question had the same characteristics
below:
1. They would only appear in the archive (gzip) conn.*.log.zip files - not
the current conn.log file.
2. Entries would always be at the beginning of the zipped conn.*.log.zip
file
3. Conn_State field would say RSTR 4. History field would be DaFr (on most
of them)
Below are some examples, as you can see the file name reflects from/to
date/time, and the characteristics of the entries in question where flow
direction is reversed are below:
zcat conn.16:27:17-17:00:00.log.gz | bro-cut -d ts proto conn_state history
| grep RSTR
2013-10-25T16:27:12+0000 tcp RSTR DaFr
2013-10-25T16:27:12+0000 tcp RSTR DaFr
2013-10-25T16:27:12+0000 tcp RSTR DaFr
<snip>
zcat conn.18:36:28-19:00:00.log.gz | bro-cut -d ts proto conn_state history
| grep RSTR
2013-10-25T18:36:23+0000 tcp RSTR DaFr
2013-10-25T18:36:23+0000 tcp RSTR DaFr
2013-10-25T18:36:23+0000 tcp RSTR DaFr
<snip>
zcat conn.18:36:28-19:00:00.log.gz | bro-cut -d ts proto conn_state history
| grep RSTR
2013-10-25T18:36:23+0000 tcp RSTR DaFr
2013-10-25T18:36:23+0000 tcp RSTR DaFr
2013-10-25T18:36:23+0000 tcp RSTR DaFr
<snip>
It almost seems that when conn.log file is being divided up and zipped this
happens.
Just to give some context, we have a script running which telnets to
multiple devices and polls certain variables and exits on a non-standard
telnet ports.
Thanks,
Konrad
_____
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2014.0.4158 / Virus Database: 3615/6790 - Release Date: 10/29/13
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131029/f3d56d86/attachment.html
More information about the Bro
mailing list