[Bro] Problem with connections in S1 and SF state

Sven Dreyer sven at dreyer-net.de
Tue Nov 17 12:38:56 PST 2015 

Dear list,

I'm having trouble understanding some log entries from my conn.log. I 
already learned from this mailing list that bro cannot surely detect who 
initiated a connection if it does not see the initial connection setup, 
which seems logical to me.

But if I look to my conn.log file, I find entries like these:

1446190221.687738 Cbu3fj3FYdODxvLF1h      87.152.221.xxx  50993 
192.168.100.yyy 36709   tcp     ssl     122.745965      1238    5340 
S1      F       T       0       ShAD
ad      20      2050    19      6112    (empty)
1446190138.746769 CykNrp4VEfzbrJ2vm6      87.152.221.xxx  50993 
192.168.100.yyy 36679   tcp     ssl     223.406750      1384    18908 
S1      F       T       0       ShAD    ad      39      2956    36 
20360   (empty)

It looks like our IMAP server (87.152.221.xxx running on port 50993) 
initiated a connection to my notebook (192.168.100.yyy). That should not 
be possible due to lack of port forwarding for this connection.

So my first guess is that bro didn't see the initial connection setup 
(midstream traffic, OTH state). But I took a look into the documentation 
on https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html 
regarding the reported states (S1), which says:

S1  Connection established, not terminated.

This looks to me like bro saw the connection setup. Or did I get 
something wrong here?

Oh and by the way: the next paragraph reads:

SF  Normal establishment and termination. Note that this is the same 
symbol as for state S1. You can tell the two apart because for S1 there 
will not be any byte counts in the summary, while for SF there will be.

I don't understand this. Do S1 and SF really only differ in byte count 
zero or non-zero? It seems to me that they also differ in "connection 
still alive" and "connection was terminated".

Looking further trough the logs, I also find entries with "SF" flag in 
whuch source and destination seem twisted:

1445338094.186121    C9uuKp4dE9nrHo46bd      87.152.220.xxx  50993 
192.168.100.yyy 20108   tcp     -462.348551       401     754     SF 
   F       T       0       DdAfFa  13      921     12      1234    (empty)

Does anybody have a hint? Did I misunderstand something?

I'm running bro 2.4.1.

Thanks a lot!
Sven

More information about the Bro mailing list