[Bro] Problem with connections in S1 and SF state
Sven Dreyer
sven at dreyer-net.de
Wed Apr 27 04:40:39 PDT 2016
Dear list,
we are still having problems with messed up src and dst ip/port of some
connections.
What we did up to now:
- Disabled bridging and used a single interface (eth1) for packet
capturing, as suggested by Seth Hall
- Disabled offloading by running "ethtool -K eth1 tso off ufo off gso
off gro off lro off" in the interface's post-up script
- Changed hardware from a "PC Engines APU 1C4" embedded board to a
"Thomas Krenn LESv2" system
- Check the history field in conn.log for "ShA" flags, as suggested by
Justin S. Azoff
I found several entries like this in conn.log:
1457953693.259152 CaUcf02Z9xpSSHPz24 10.85.1.1 50993
10.85.1.104 41023 tcp ssl 302.736749 987 7059 SF
T T 0 ShADadFfR 23 2167 16 7899
(empty)
According to conn.log, this is a connection from 10.85.1.1 (internal IP
of our server) port 50993 (the IMAP-TLS port the servers uses) to
10.85.1.104 (a notebook computer) port 41023, lasting for 302 seconds.
My understanding is that bro saw the whole connection from establishment
to termination (according to the history field).
In fact, the notebook established a connection to the IMAP service of
our server. So src ip and port and dst ip and port are twisted in conn.log.
The problem is reproducible (at least in our environment). I captured a
pcap file on the same machine running bro, using the same interface and
stripped it down so that it contains only the above mentioned connection
- 39 frames and about 15 kB (see attachment). If I inject this pcap file
in the network using
tcpreplay -i eth1 twisted.pcapng
bro shows a connection from 10.85.1.1 => 10.85.1.104 (wrong!) in
conn.log. If instead I read the pcap file using "bro -r", conn.log shows
a connection from 10.85.1.104 => 10.85.1.1 (correct!).
Does anyboby have a further idea what we could do to track the problem down?
Thanks and best regards, Sven
Am 17.11.2015 um 21:38 schrieb Sven Dreyer:
> Dear list,
>
> I'm having trouble understanding some log entries from my conn.log. I
> already learned from this mailing list that bro cannot surely detect who
> initiated a connection if it does not see the initial connection setup,
> which seems logical to me.
>
> But if I look to my conn.log file, I find entries like these:
>
> 1446190221.687738 Cbu3fj3FYdODxvLF1h 87.152.221.xxx 50993
> 192.168.100.yyy 36709 tcp ssl 122.745965 1238 5340
> S1 F T 0 ShAD
> ad 20 2050 19 6112 (empty)
> 1446190138.746769 CykNrp4VEfzbrJ2vm6 87.152.221.xxx 50993
> 192.168.100.yyy 36679 tcp ssl 223.406750 1384 18908
> S1 F T 0 ShAD ad 39 2956 36
> 20360 (empty)
>
> It looks like our IMAP server (87.152.221.xxx running on port 50993)
> initiated a connection to my notebook (192.168.100.yyy). That should not
> be possible due to lack of port forwarding for this connection.
>
> So my first guess is that bro didn't see the initial connection setup
> (midstream traffic, OTH state). But I took a look into the documentation
> on https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html
> regarding the reported states (S1), which says:
>
> S1 Connection established, not terminated.
>
> This looks to me like bro saw the connection setup. Or did I get
> something wrong here?
>
> Oh and by the way: the next paragraph reads:
>
> SF Normal establishment and termination. Note that this is the same
> symbol as for state S1. You can tell the two apart because for S1 there
> will not be any byte counts in the summary, while for SF there will be.
>
> I don't understand this. Do S1 and SF really only differ in byte count
> zero or non-zero? It seems to me that they also differ in "connection
> still alive" and "connection was terminated".
>
> Looking further trough the logs, I also find entries with "SF" flag in
> whuch source and destination seem twisted:
>
> 1445338094.186121 C9uuKp4dE9nrHo46bd 87.152.220.xxx 50993
> 192.168.100.yyy 20108 tcp -462.348551 401 754 SF
> F T 0 DdAfFa 13 921 12 1234 (empty)
>
> Does anybody have a hint? Did I misunderstand something?
>
> I'm running bro 2.4.1.
>
> Thanks a lot!
> Sven
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: twisted.pcapng
Type: application/octet-stream
Size: 14856 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160427/c57d736c/attachment-0001.obj
More information about the Bro
mailing list