[Bro] Problem with connections in S1 and SF state

derek at criticalstack.com derek at criticalstack.com
Wed Nov 25 05:08:39 PST 2015



Sven,


Try running the pcap through your local policy scripts and check the output: 


bro -r file.pcap local


I don't otherwise have a specific clue why this could happen, but it's best to compare the same process.


-Derek



From: Sven Dreyer

Sent: Thursday, November 19, 10:34

Subject: Re: [Bro] Problem with connections in S1 and SF state

To: bro at bro.org, Azoff, Justin S



Justin, thanks for the hint. I should indeed have checked the history field. But even for connections that do not start with d or D in the history field, I see the same behaviour. Source and destination is still twisted: 1447675087.121817 CjRCD61gNErucciPb8 87.144.16.xxx 50993 192.168.100.yyy 26577 tcp ssl 83.596659 1432 2619 S1 F T 0 ShADad 18 2164 15 3231 (empty) Bro is configured to listen to a bridge interface (br0). But I also have running a dumpcap process writing all packets to pcap files. Interestingly, if I feed the corresponding pcap file to bro (bro -r file.pcap), I get source and destination in the right order: 1447675087.121817 C2AvJf3WgcdiBlYfS4 192.168.100.yyy 26577 87.144.16.xxx 50993 tcp ssl 83.596659 1432 2619 S1 - - 0 ShADad 18 2164 15 3231 (empty) Does anybody have an explanation for this? Thanks, Sven Am 17.11.2015 um 21:53 schrieb Azoff, Justin S: > You should really be looking at the history field: > > history: string &log &optional > Records the state history of connections as a string of letters. The meaning of those letters is: > > Letter	Meaning > s	a SYN w/o the ACK bit set > h	a SYN+ACK (“handshake”) > a	a pure ACK > d	packet with payload (“data”) > f	packet with FIN bit set > r	packet with RST bit set > c	packet with a bad checksum > i	inconsistent packet (e.g. SYN+RST bits both set) > If the event comes from the originator, the letter is in upper-case; if it comes from the responder, it’s in lower-case. Multiple packets of the same type will only be noted once (e.g. we only record one “d” in each direction, regardless of how many data packets were seen.) > > So any connection that starts with D or d means bro missed the initial syn handshake (Sh) > > _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151125/3c211a8a/attachment-0001.html 


More information about the Bro mailing list