[Bro] Definition of a connection in conn.log
Johanna Amann
johanna at icir.org
Fri Mar 25 09:58:26 PDT 2016
Hello,
let me try to give a few quick answers to your question.
On Tue, Mar 22, 2016 at 03:00:25PM -0600, Navraj Singh wrote:
> 1. Is it safe to assume that any given packet will be assigned to at most
> one connection, and thus to at most one row in conn.log?
No - there is a special case for tunnels, where a connection can be the
parent of another connection (the child shows its parent in the
tunnel_parents field of conn.log). In that case, the packet is assigned to
both the child and the parent.
> 2. Why is it that some rows in conn.log do not have the duration field set?
> I see see several row with a '-' in the duration field.
That should mean that the duration was "0" (e.g. single packet), if I am
not mistaken.
> 3. The bro documentation states that "For UDP and ICMP, “connections” are
> to be interpreted using flow semantics (sequence of packets from a source
> host/port to a destination host/port)." However, what is the exact
> definition for a TCP flow? How does Bro decide which packets to include in
> a connection?
That s a not quite straightforward to answer question. Generally Bro
counts connections a 5-tuples; however, there are several timeouts at work
(after no packets were arrived for a certain amount of time, a connection
is seen as finished; if theree are new packets, a new connection will
begin). For TCP, a connection also can be ended by fin and rst packets,
and a new connection will begin afterwards.
The timeouts are set using configuration variables - e.g. the default
tcp_inactivity_timeout, after which a TCP connection is considered closed
when no more packets are seen is 5 minutes. For UDP, it is 1 minute. For
ICMP it also is one minute.
> 4. For an ongoing 'connection', does Bro wait until the connection is over
> before logging it? What if the connection is quite long in duration...won't
> that cause a lag? Or does Bro automatically chop up long flows based on
> some configurable limit parameter?
Yup. And you are right, it will cause a lag in logging.
I hope this helps,
Johanna
More information about the Bro
mailing list