[Bro] Bro bug?
Kellogg, Brian D (OLN)
bkellogg at dresser-rand.com
Sun Jan 19 08:45:11 PST 2014
largeTx.bro alerts on any outgoing Txs over X bytes. If of sufficient size it sends an email alert.
get.bash uses tshark to extract captured Security Onion FPC packets from /nsm/sensor_data/so-OLN-eth0/dailylogs/2014-01-19.
I received an email alert saying that 1.1.1.1 transmitted over 1GB of information to 2.2.2.2. Therefore I went to the FPC directory above to extract this communication to see what it was. The extracted content was ~3.5MB in size.
I've tested this with several large file uploads and have gotten consistent and accurate results with all tests. Therefore I'm confused as to how this alert was generated.
Is this an intermittent bug possibly or am I not understanding something?
The email alert I received from Bro 2.2 on Security Onion with all the latest patches is included as well. The duration is odd as well. I've received a handful of similar alerts for large transfers and very short durations.
Thank you,
Brian Kellogg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: largeTx.bro
Type: application/octet-stream
Size: 1812 bytes
Desc: largeTx.bro
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140119/7ceb6811/attachment.obj
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: alert-email.txt
Url: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140119/7ceb6811/attachment.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: get.bash
Type: application/octet-stream
Size: 307 bytes
Desc: get.bash
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140119/7ceb6811/attachment-0001.obj
More information about the Bro
mailing list