[Bro] Problem with connections in S1 and SF state
derek at criticalstack.com
derek at criticalstack.com
Wed Nov 25 05:08:39 PST 2015
Sven,
Try running the pcap through your local policy scripts and check the output:
bro -r file.pcap local
I don't otherwise have a specific clue why this could happen, but it's best to compare the same process.
-Derek
From: Sven Dreyer
Sent: Thursday, November 19, 10:34
Subject: Re: [Bro] Problem with connections in S1 and SF state
To: bro at bro.org, Azoff, Justin S
Justin, thanks for the hint. I should indeed have checked the history field. But even for connections that do not start with d or D in the history field, I see the same behaviour. Source and destination is still twisted: 1447675087.121817 CjRCD61gNErucciPb8 87.144.16.xxx 50993 192.168.100.yyy 26577 tcp ssl 83.596659 1432 2619 S1 F T 0 ShADad 18 2164 15 3231 (empty) Bro is configured to listen to a bridge interface (br0). But I also have running a dumpcap process writing all packets to pcap files. Interestingly, if I feed the corresponding pcap file to bro (bro -r file.pcap), I get source and destination in the right order: 1447675087.121817 C2AvJf3WgcdiBlYfS4 192.168.100.yyy 26577 87.144.16.xxx 50993 tcp ssl 83.596659 1432 2619 S1 - - 0 ShADad 18 2164 15 3231 (empty) Does anybody have an explanation for this? Thanks, Sven Am 17.11.2015 um 21:53 schrieb Azoff, Justin S: > You should really be looking at the history field: > > history: string &log &optional > Records the state history of connections as a string of letters. The meaning of those letters is: > > Letter Meaning > s a SYN w/o the ACK bit set > h a SYN+ACK (“handshake”) > a a pure ACK > d packet with payload (“data”) > f packet with FIN bit set > r packet with RST bit set > c packet with a bad checksum > i inconsistent packet (e.g. SYN+RST bits both set) > If the event comes from the originator, the letter is in upper-case; if it comes from the responder, it’s in lower-case. Multiple packets of the same type will only be noted once (e.g. we only record one “d” in each direction, regardless of how many data packets were seen.) > > So any connection that starts with D or d means bro missed the initial syn handshake (Sh) > > _______________________________________________ Bro mailing list bro at bro-ids.org http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151125/3c211a8a/attachment-0001.html
More information about the Bro
mailing list