[Bro] Problem identifying originator in Kerberos connections

Vlad Grigorescu vlad at grigorescu.org
Mon Aug 3 08:44:56 PDT 2015 

Hi Peter,

This is not a known issue, so I'd like to figure out what you're seeing and
fix any problems. If you could share a few log lines exhibiting this
behavior, that'd be very helpful (any IP addresses, usernames, etc. can be
redacted or modified as long as the issue is still clear).

There are actually two Kerberos analyzers - one for TCP and one for UDP.
TCP should be a bit more reliable, but for UDP who the originator is and
who the responder is is simply an educated guess. The guess is mainly based
off of the port numbers - if a packet is going to 88/udp, it's assumed to
be from the originator to the responder.

Both the request and response packets will be written out as a single log
line, with the same originator and responder. This is consistent with other
Bro logs - the originator and responder don't refer to the packet, but to
the transaction as a whole. Loosely speaking, the originator can be thought
of as "the host that sent the request," while the responder is "the host
that replied to the request."

  --Vlad

On Wed, Jul 29, 2015 at 3:38 PM, Peter Hansen <pch66 at cornell.edu> wrote:

> Hello all,
>
> I have been working with Kerberos in bro for a bit, and a problem I am
> consistently having is that for some reason with Kerberos packets, Bro
> cannot correctly identify the correct originator IP address in
> kerberos.log. It appears that the response packets are having their orig_h
> and resp_h values (and corresponding ports) swapped, so all connections
> made in the transfer are incorrectly identified as having the same
> originating IP address.
>
> Is this a known issue? Am I doing something wrong? Looking at the packets
> in wireshark correctly identifies them.
>
> Thanks,
> Peter
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150803/b456d326/attachment.html

More information about the Bro mailing list