[Bro] Duplication of packets and UID's

nate nate at nullbyte.net
Thu May 1 10:05:19 PDT 2014 

My Bro setup is part of Security Onion, but they recommended coming to 
Bro for assistance. Another user on the SO mailing list reported similar 
problems 
(https://groups.google.com/forum/#!topic/security-onion/7x27uKttByM). 
I've sent this email twice already, but the attachment is apparently too 
large and a mod needs to approve it, which hasn't happened for almost 
two weeks. So this will be sent without the sostat attachment.

This is running on Ubuntu 12.4.4 w/ the older 3.8 kernel (as specified 
in Security Onion install). Bro version is 2.2. Let me know what 
additional information to provide.

===============================

We've run into a very strange occurrence with our SO and Bro setup. 
We're seeing duplicated log entries that are mere micro seconds apart. 
This is a standalone setup.

So we have two specific issues

======

Problem #1


 From our log, lines 837 & 838:

<13>Apr  9 18:26:11 aus-sosensor01 bro_dns: 1397067970.115680 
CPxjB93OPbytcuTF3        10.6.0.183        62218        10.6.0.35        53        udp 
      45159 security.kali.org 
<http://security.kali.org/>        1        C_INTERNET        1        A 
     0        NOERROR        F        F        T        T 
     0        173.246.39.190      60.000000        F
<13>Apr  9 18:26:11 aus-sosensor01 bro_dns: 1397067970.115695 
CPxjB93OPbytcuTF3        10.6.0.183        62218        10.6.0.35        53        udp 
      45159 security.kali.org 
<http://security.kali.org/>        1        C_INTERNET        1        A 
     0        NOERROR        F        F        T        T 
     0        173.246.39.190      60.000000        F

Note the UID: CPxjB93OPbytcuTF3

Now, lines 1130-1133

<13>Apr  9 18:26:21 aus-sosensor01 bro_dns: 1397067970.115700 
CPxjB93OPbytcuTF3        10.6.0.183        62218        10.6.0.35        53        udp 
      48870 security.kali.org 
<http://security.kali.org/>        1        C_INTERNET        28 
AAAA        0        NOERROR       F        F        T 
    F        0        - -        F
<13>Apr  9 18:26:21 aus-sosensor01 bro_dns: 1397067970.115704 
CPxjB93OPbytcuTF3        10.6.0.183        62218        10.6.0.35        53        udp 
      48870 security.kali.org 
<http://security.kali.org/>        1        C_INTERNET        28 
AAAA        -        - F        F        T        F 
       0        -        -    F
<13>Apr  9 18:26:21 aus-sosensor01 bro_dns: 1397067970.115700 
CPxjB93OPbytcuTF3        10.6.0.183        62218        10.6.0.35        53        udp 
      48870 security.kali.org 
<http://security.kali.org/>        1        C_INTERNET        28 
AAAA        0        NOERROR       F        F        T 
    F        0        - -        F
<13>Apr  9 18:26:21 aus-sosensor01 bro_dns: 1397067970.115704 
CPxjB93OPbytcuTF3        10.6.0.183        62218        10.6.0.35        53        udp 
      48870 security.kali.org 
<http://security.kali.org/>        1        C_INTERNET        28 
AAAA        -        - F        F        T        F 
       0        -        -    F

The same UID, but 10 seconds apart from the first events. As well, 
notice that lines 1132 and 1133, are exact duplicates of lines 1130 and 
1131. Even the timestamps are the same (which puts them out of order as 
they're duplicated: .115700 -> .115704 -> .115700 -> .115704)

1. Why are lines 837 & 838 duplicates of each other, with different time 
stamps?
2. Why are lines 1130 & 1131 duplicated immediately after (lines 1132 & 
1133), with the same timestamps?
3. Why do both sections of packets, 10 seconds apart, have the same UID?

======

Problem #2

Same file, lines 1081 - 1102 are this line:

<13>Apr  9 18:26:21 aus-sosensor01 bro_dns: 1397067969.888173 
CjW8ry3fUCdzFscJvk fe80::426c:8fff:fe37:4b49    5353        ff02::fb 
  5353        udp        0    _zuul1000207._udp.local 
     1        C_INTERNET  12        PTR        - 
  -        F        F   &nb sp;    F        F        0        - 
     -        F

It repeats 22 times, each with a unique timestamp, separate only by 
microseconds

Immediately following these 22 lines is this line:

<13>Apr  9 18:26:21 aus-sosensor01 bro_dns: 1397067970.062631 
CjW8ry3fUCdzFscJvk fe80::426c:8fff:fe37:4b49    5353        ff02::fb 
  5353        udp        0    -        -        - 
-        -        -        -       F        F        F ; 
    F        0        - -        F

Which occurs from 1103 - 1124. Exactly the same, but different 
timestamps, separated only by microseconds.

Why was the same event capture multiple times, at different microseconds 
and logged each time?

======

Conclusion:

Are the above issues a performance problem? Do we need to 
increase/decrease the number of instances of Bro? Do we need to do some 
other kind of tuning? Is this just a completely one off problem?

These are not the only occurrences of these two problems. There are 
hundreds of duplicated packets with the same timestamps, or duplicated 
packets with timestamps only separated by microseconds.

What in the world is going on?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140501/a340c3c6/attachment.html

More information about the Bro mailing list