[Bro] Problem with connections in S1 and SF state
James Lay
jlay at slave-tothe-box.net
Wed Apr 27 07:59:23 PDT 2016
On 2016-04-27 05:40, Sven Dreyer wrote:
> Dear list,
>
> we are still having problems with messed up src and dst ip/port of
> some connections.
>
> What we did up to now:
> - Disabled bridging and used a single interface (eth1) for packet
> capturing, as suggested by Seth Hall
> - Disabled offloading by running "ethtool -K eth1 tso off ufo off gso
> off gro off lro off" in the interface's post-up script
> - Changed hardware from a "PC Engines APU 1C4" embedded board to a
> "Thomas Krenn LESv2" system
> - Check the history field in conn.log for "ShA" flags, as suggested by
> Justin S. Azoff
>
> I found several entries like this in conn.log:
> 1457953693.259152 CaUcf02Z9xpSSHPz24 10.85.1.1 50993
> 10.85.1.104 41023 tcp ssl 302.736749 987 7059
> SF T T 0 ShADadFfR 23 2167 16
> 7899 (empty)
>
> According to conn.log, this is a connection from 10.85.1.1 (internal
> IP of our server) port 50993 (the IMAP-TLS port the servers uses) to
> 10.85.1.104 (a notebook computer) port 41023, lasting for 302 seconds.
> My understanding is that bro saw the whole connection from
> establishment to termination (according to the history field).
>
> In fact, the notebook established a connection to the IMAP service of
> our server. So src ip and port and dst ip and port are twisted in
> conn.log.
>
> The problem is reproducible (at least in our environment). I captured
> a pcap file on the same machine running bro, using the same interface
> and stripped it down so that it contains only the above mentioned
> connection - 39 frames and about 15 kB (see attachment). If I inject
> this pcap file in the network using
>
> tcpreplay -i eth1 twisted.pcapng
>
> bro shows a connection from 10.85.1.1 => 10.85.1.104 (wrong!) in
> conn.log. If instead I read the pcap file using "bro -r", conn.log
> shows a connection from 10.85.1.104 => 10.85.1.1 (correct!).
>
> Does anyboby have a further idea what we could do to track the problem
> down?
>
> Thanks and best regards, Sven
>
>
> Am 17.11.2015 um 21:38 schrieb Sven Dreyer:
>> Dear list,
>>
>> I'm having trouble understanding some log entries from my conn.log. I
>> already learned from this mailing list that bro cannot surely detect
>> who
>> initiated a connection if it does not see the initial connection
>> setup,
>> which seems logical to me.
>>
>> But if I look to my conn.log file, I find entries like these:
>>
>> 1446190221.687738 Cbu3fj3FYdODxvLF1h 87.152.221.xxx 50993
>> 192.168.100.yyy 36709 tcp ssl 122.745965 1238 5340
>> S1 F T 0 ShAD
>> ad 20 2050 19 6112 (empty)
>> 1446190138.746769 CykNrp4VEfzbrJ2vm6 87.152.221.xxx 50993
>> 192.168.100.yyy 36679 tcp ssl 223.406750 1384 18908
>> S1 F T 0 ShAD ad 39 2956 36
>> 20360 (empty)
>>
>> It looks like our IMAP server (87.152.221.xxx running on port 50993)
>> initiated a connection to my notebook (192.168.100.yyy). That should
>> not
>> be possible due to lack of port forwarding for this connection.
>>
>> So my first guess is that bro didn't see the initial connection setup
>> (midstream traffic, OTH state). But I took a look into the
>> documentation
>> on
>> https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html
>> regarding the reported states (S1), which says:
>>
>> S1 Connection established, not terminated.
>>
>> This looks to me like bro saw the connection setup. Or did I get
>> something wrong here?
>>
>> Oh and by the way: the next paragraph reads:
>>
>> SF Normal establishment and termination. Note that this is the same
>> symbol as for state S1. You can tell the two apart because for S1
>> there
>> will not be any byte counts in the summary, while for SF there will
>> be.
>>
>> I don't understand this. Do S1 and SF really only differ in byte count
>> zero or non-zero? It seems to me that they also differ in "connection
>> still alive" and "connection was terminated".
>>
>> Looking further trough the logs, I also find entries with "SF" flag in
>> whuch source and destination seem twisted:
>>
>> 1445338094.186121 C9uuKp4dE9nrHo46bd 87.152.220.xxx 50993
>> 192.168.100.yyy 20108 tcp -462.348551 401 754 SF
>> F T 0 DdAfFa 13 921 12 1234
>> (empty)
>>
>> Does anybody have a hint? Did I misunderstand something?
>>
>> I'm running bro 2.4.1.
>>
>> Thanks a lot!
>> Sven
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
Read this thread:
http://thread.gmane.org/gmane.comp.security.detection.bro/9211
It might help.
James
More information about the Bro
mailing list