[Bro] BRO conn.log - connection flow direction wrong - non standard telnet port connection
Seth Hall
seth at icir.org
Wed Oct 30 07:20:49 PDT 2013
On Oct 29, 2013, at 6:36 PM, Konrad Weglowski <knrd at rogers.com> wrote:
> Just to give some context, we have a script running which telnets to multiple devices and polls certain variables and exits on a non-standard telnet ports.
Are you dropping a lot of packets? It looks like Bro isn't seeing the beginning of these connections (syn packets) which makes it nearly impossible to determine the direction without guessing. Bro's current strategy for "fixing" reversed connections like this is by consulting the likely_server_ports variable but since it sounds like you are using non-standard ports it's unlikely that this would work.
I think the big question we need to answer is why you aren't seeing the SYN packets. Check for PacketFilter::Dropped_Packets notices in your notice.log and add "@load misc/capture-loss" to your local.bro script so that you will have a capture_loss.log which will give a holistic measurement of packet loss.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20131030/715811da/attachment.bin
More information about the Bro
mailing list