[Bro] A strange connection
Michel Laterman
mlaterma at ucalgary.ca
Sun Jan 25 06:58:19 PST 2015
Hello,
I recently saw the same thing in my logs. It's because orig_bytes and resp_bytes use sequence numbers to find bytes transferred; you are seeing the sequence number rollover. orig_ip_bytes and resp_ip_bytes should have the correct values of bytes (with TCP headers).
Michel On Jan 25, 2015 7:40 AM, Balasubramaniam Natarajan <bala150985 at gmail.com> wrote:
>
>
>
> On Sun, Jan 25, 2015 at 6:12 PM, Po-Ching Lin <pachinko.tw at gmail.com> wrote:
>>
>>
>> 1419498119.991707 CLQP0QdahFaFha0U2 140.x.x.x 58967 66.171.248.x 80 tcp http 253.220343 114502461 592490922 SF T 114502154
>> ShADadfF 5 519 6 578 (empty)
>>
>> Po-Ching
>>
>
> Is this by any chance a SF scan ? If this were a normal connection won't we be seeing an Ack Flag, Push Flag in addition to the SF noted above ?
>
> --
> Regards,
> Balasubramaniam Natarajan
> http://blog.etutorshop.com
More information about the Bro
mailing list