[Bro] Duplication of packets and UID's
nate
nate at nullbyte.net
Thu May 1 10:05:19 PDT 2014
My Bro setup is part of Security Onion, but they recommended coming to
Bro for assistance. Another user on the SO mailing list reported similar
problems
(https://groups.google.com/forum/#!topic/security-onion/7x27uKttByM).
I've sent this email twice already, but the attachment is apparently too
large and a mod needs to approve it, which hasn't happened for almost
two weeks. So this will be sent without the sostat attachment.
This is running on Ubuntu 12.4.4 w/ the older 3.8 kernel (as specified
in Security Onion install). Bro version is 2.2. Let me know what
additional information to provide.
===============================
We've run into a very strange occurrence with our SO and Bro setup.
We're seeing duplicated log entries that are mere micro seconds apart.
This is a standalone setup.
So we have two specific issues
======
Problem #1
From our log, lines 837 & 838:
<13>Apr 9 18:26:11 aus-sosensor01 bro_dns: 1397067970.115680
CPxjB93OPbytcuTF3 10.6.0.183 62218 10.6.0.35 53 udp
45159 security.kali.org
<http://security.kali.org/> 1 C_INTERNET 1 A
0 NOERROR F F T T
0 173.246.39.190 60.000000 F
<13>Apr 9 18:26:11 aus-sosensor01 bro_dns: 1397067970.115695
CPxjB93OPbytcuTF3 10.6.0.183 62218 10.6.0.35 53 udp
45159 security.kali.org
<http://security.kali.org/> 1 C_INTERNET 1 A
0 NOERROR F F T T
0 173.246.39.190 60.000000 F
Note the UID: CPxjB93OPbytcuTF3
Now, lines 1130-1133
<13>Apr 9 18:26:21 aus-sosensor01 bro_dns: 1397067970.115700
CPxjB93OPbytcuTF3 10.6.0.183 62218 10.6.0.35 53 udp
48870 security.kali.org
<http://security.kali.org/> 1 C_INTERNET 28
AAAA 0 NOERROR F F T
F 0 - - F
<13>Apr 9 18:26:21 aus-sosensor01 bro_dns: 1397067970.115704
CPxjB93OPbytcuTF3 10.6.0.183 62218 10.6.0.35 53 udp
48870 security.kali.org
<http://security.kali.org/> 1 C_INTERNET 28
AAAA - - F F T F
0 - - F
<13>Apr 9 18:26:21 aus-sosensor01 bro_dns: 1397067970.115700
CPxjB93OPbytcuTF3 10.6.0.183 62218 10.6.0.35 53 udp
48870 security.kali.org
<http://security.kali.org/> 1 C_INTERNET 28
AAAA 0 NOERROR F F T
F 0 - - F
<13>Apr 9 18:26:21 aus-sosensor01 bro_dns: 1397067970.115704
CPxjB93OPbytcuTF3 10.6.0.183 62218 10.6.0.35 53 udp
48870 security.kali.org
<http://security.kali.org/> 1 C_INTERNET 28
AAAA - - F F T F
0 - - F
The same UID, but 10 seconds apart from the first events. As well,
notice that lines 1132 and 1133, are exact duplicates of lines 1130 and
1131. Even the timestamps are the same (which puts them out of order as
they're duplicated: .115700 -> .115704 -> .115700 -> .115704)
1. Why are lines 837 & 838 duplicates of each other, with different time
stamps?
2. Why are lines 1130 & 1131 duplicated immediately after (lines 1132 &
1133), with the same timestamps?
3. Why do both sections of packets, 10 seconds apart, have the same UID?
======
Problem #2
Same file, lines 1081 - 1102 are this line:
<13>Apr 9 18:26:21 aus-sosensor01 bro_dns: 1397067969.888173
CjW8ry3fUCdzFscJvk fe80::426c:8fff:fe37:4b49 5353 ff02::fb
5353 udp 0 _zuul1000207._udp.local
1 C_INTERNET 12 PTR -
- F F &nb sp; F F 0 -
- F
It repeats 22 times, each with a unique timestamp, separate only by
microseconds
Immediately following these 22 lines is this line:
<13>Apr 9 18:26:21 aus-sosensor01 bro_dns: 1397067970.062631
CjW8ry3fUCdzFscJvk fe80::426c:8fff:fe37:4b49 5353 ff02::fb
5353 udp 0 - - -
- - - - F F F ;
F 0 - - F
Which occurs from 1103 - 1124. Exactly the same, but different
timestamps, separated only by microseconds.
Why was the same event capture multiple times, at different microseconds
and logged each time?
======
Conclusion:
Are the above issues a performance problem? Do we need to
increase/decrease the number of instances of Bro? Do we need to do some
other kind of tuning? Is this just a completely one off problem?
These are not the only occurrences of these two problems. There are
hundreds of duplicated packets with the same timestamps, or duplicated
packets with timestamps only separated by microseconds.
What in the world is going on?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140501/a340c3c6/attachment.html
More information about the Bro
mailing list