[Bro] Problem with connections in S1 and SF state

James Lay jlay at slave-tothe-box.net
Wed Apr 27 07:59:23 PDT 2016 

On 2016-04-27 05:40, Sven Dreyer wrote:
> Dear list,
> 
> we are still having problems with messed up src and dst ip/port of
> some connections.
> 
> What we did up to now:
> - Disabled bridging and used a single interface (eth1) for packet
> capturing, as suggested by Seth Hall
> - Disabled offloading by running "ethtool -K eth1 tso off ufo off gso
> off gro off lro off" in the interface's post-up script
> - Changed hardware from a "PC Engines APU 1C4" embedded board to a
> "Thomas Krenn LESv2" system
> - Check the history field in conn.log for "ShA" flags, as suggested by
> Justin S. Azoff
> 
> I found several entries like this in conn.log:
> 1457953693.259152       CaUcf02Z9xpSSHPz24      10.85.1.1       50993
> 10.85.1.104     41023   tcp     ssl     302.736749      987     7059
> SF       T       T       0       ShADadFfR       23      2167    16
> 7899 (empty)
> 
> According to conn.log, this is a connection from 10.85.1.1 (internal
> IP of our server) port 50993 (the IMAP-TLS port the servers uses) to
> 10.85.1.104 (a notebook computer) port 41023, lasting for 302 seconds.
> My understanding is that bro saw the whole connection from
> establishment to termination (according to the history field).
> 
> In fact, the notebook established a connection to the IMAP service of
> our server. So src ip and port and dst ip and port are twisted in
> conn.log.
> 
> The problem is reproducible (at least in our environment). I captured
> a pcap file on the same machine running bro, using the same interface
> and stripped it down so that it contains only the above mentioned
> connection - 39 frames and about 15 kB (see attachment). If I inject
> this pcap file in the network using
> 
> tcpreplay -i eth1 twisted.pcapng
> 
> bro shows a connection from 10.85.1.1 => 10.85.1.104 (wrong!) in
> conn.log. If instead I read the pcap file using "bro -r", conn.log
> shows a connection from 10.85.1.104 => 10.85.1.1 (correct!).
> 
> Does anyboby have a further idea what we could do to track the problem 
> down?
> 
> Thanks and best regards, Sven
> 
> 
> Am 17.11.2015 um 21:38 schrieb Sven Dreyer:
>> Dear list,
>> 
>> I'm having trouble understanding some log entries from my conn.log. I
>> already learned from this mailing list that bro cannot surely detect 
>> who
>> initiated a connection if it does not see the initial connection 
>> setup,
>> which seems logical to me.
>> 
>> But if I look to my conn.log file, I find entries like these:
>> 
>> 1446190221.687738 Cbu3fj3FYdODxvLF1h      87.152.221.xxx  50993
>> 192.168.100.yyy 36709   tcp     ssl     122.745965      1238    5340
>> S1      F       T       0       ShAD
>> ad      20      2050    19      6112    (empty)
>> 1446190138.746769 CykNrp4VEfzbrJ2vm6      87.152.221.xxx  50993
>> 192.168.100.yyy 36679   tcp     ssl     223.406750      1384    18908
>> S1      F       T       0       ShAD    ad      39      2956    36
>> 20360   (empty)
>> 
>> It looks like our IMAP server (87.152.221.xxx running on port 50993)
>> initiated a connection to my notebook (192.168.100.yyy). That should 
>> not
>> be possible due to lack of port forwarding for this connection.
>> 
>> So my first guess is that bro didn't see the initial connection setup
>> (midstream traffic, OTH state). But I took a look into the 
>> documentation
>> on 
>> https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html
>> regarding the reported states (S1), which says:
>> 
>> S1  Connection established, not terminated.
>> 
>> This looks to me like bro saw the connection setup. Or did I get
>> something wrong here?
>> 
>> Oh and by the way: the next paragraph reads:
>> 
>> SF  Normal establishment and termination. Note that this is the same
>> symbol as for state S1. You can tell the two apart because for S1 
>> there
>> will not be any byte counts in the summary, while for SF there will 
>> be.
>> 
>> I don't understand this. Do S1 and SF really only differ in byte count
>> zero or non-zero? It seems to me that they also differ in "connection
>> still alive" and "connection was terminated".
>> 
>> Looking further trough the logs, I also find entries with "SF" flag in
>> whuch source and destination seem twisted:
>> 
>> 1445338094.186121    C9uuKp4dE9nrHo46bd      87.152.220.xxx  50993
>> 192.168.100.yyy 20108   tcp     -462.348551       401     754     SF
>>     F       T       0       DdAfFa  13      921     12      1234    
>> (empty)
>> 
>> Does anybody have a hint? Did I misunderstand something?
>> 
>> I'm running bro 2.4.1.
>> 
>> Thanks a lot!
>> Sven
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> 
> 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


Read this thread:

http://thread.gmane.org/gmane.comp.security.detection.bro/9211

It might help.

James

More information about the Bro mailing list