[Bro] Connection lasts huge time
Johanna Amann
johanna at icir.org
Fri Jul 8 10:03:04 PDT 2016
Hello Simone,
Are you sure that these connections did not just last several hours?
If you are sure - the only possible way that I can think of for these
values getting messed up is libpcap (and thus probably the kernel)
delivering wrong timestamps for packets. Bro just determines the duration
by sybstracting the timestamp of the first packet that it saw from the
timestamp of the last packet that it saw. Additionally, Bro will expire
connections where it has not seen any packets, generally after a few
minutes.
I have seen wrong timestamps being delivered for a couple of packets
before, but in those cases they were off by years, not just by hours, so I
consider that unlikely.
Johanna
On Tue, Jul 05, 2016 at 03:30:15PM +0000, Rotondo Simone wrote:
> Hi,
> in my Bro logs, I have some connections that lasts 6 hours and more.
> Those conns use different services:
>
> ------------------------
> conn.13:00:00-14:00:00.log.gz:{"ts":1466403937.471482,"uid":"CNLOdrb4ss9hRDDgg","id.orig_h":"XXX.XXX.XXX.XXX","id.orig_p":XXXXX,"id.resp_h":"XXX.XXX.XXX.XXX","id.resp_p":3268,"proto":"tcp","duration":16980.700023,"orig_bytes":299358,"resp_bytes":258817,"conn_state":"S1","local_resp":false,"missed_bytes":58394,"history":"ShADad","orig_pkts":485,"orig_ip_bytes":287130,"resp_pkts":243,"resp_ip_bytes":241795,"tunnel_parents":[],"local_origi":"T4","local_respo":"F4"}
>
> ------------------------
> conn.14:00:00-15:00:00.log.gz:{"ts":1466404357.492809,"uid":"CA7q9dl7q5ZbTDRXa","id.orig_h":"XXX.XXX.XXX.XXX","id.orig_p":XXXXX,"id.resp_h":" XXX.XXX.XXX.XXX","id.resp_p":443,"proto":"tcp","service":"ssl","duration":22774.467724,"orig_bytes":341462,"resp_bytes":402631,"conn_state":"S1","local_resp":true,"missed_bytes":51675,"history":"ShADda","orig_pkts":921,"orig_ip_bytes":353314,"resp_pkts":2058,"resp_ip_bytes":458288,"tunnel_parents":[],"from_known_services":["SSL"],"local_origi":"T4","local_respo":"T4"}
> +++++
> ssl.08:00:00-09:00:00.log.gz:{"ts":1466404357.495789,"uid":"CA7q9dl7q5ZbTDRXa","id.orig_h":"XXX.XXX.XXX.XXX","id.orig_p":XXXXX,"id.resp_h":"XXX.XXX.XXX.XXX","id.resp_p":443,"version":"TLSv12","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","server_name":"mail.xxxxxx.xxx","resumed":true,"established":true}
>
> ------------------------
> conn.14:00:00-15:00:00.log.gz:{"ts":1466404268.700607,"uid":"Czvp3U1saSEh9powDh","id.orig_h":"XXX.XXX.XXX.XXX","id.orig_p":XXXXX,"id.resp_h":"XXX.XXX.XXX.XXX","id.resp_p":443,"proto":"tcp","service":"ssl","duration":21422.058832,"orig_bytes":2158,"resp_bytes":122049,"conn_state":"RSTO","local_resp":true,"missed_bytes":3254,"history":"ShADdaR","orig_pkts":411,"orig_ip_bytes":18610,"resp_pkts":836,"resp_ip_bytes":152247,"tunnel_parents":[],"from_known_services":["SSL"],"local_origi":"T4","local_respo":"T4"}
> +++++
> ssl.08:00:00-09:00:00.log.gz:{"ts":1466404268.70101,"uid":"Czvp3U1saSEh9powDh","id.orig_h":"XXX.XXX.XXX.XXX","id.orig_p":XXXXX,"id.resp_h":"XXX.XXX.XXX.XXX","id.resp_p":443,"version":"TLSv10","cipher":"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA","curve":"secp384r1","server_name":"mail.xxxxx.xxx","resumed":false,"established":true,"cert_chain_fuids":["XXXXXXXXXXXXXXXXX","XXXXXXXXXXXXXXXXXXX"],"client_cert_chain_fuids":[],"subject":"emailAddress=hostmaster at xxxxxx.xx,CN=mail.xxxxxxx.xxx,O=XXXXXXX,...}
>
>
> Have you got any idea about this issue?
>
> BR
> Simone
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list