[Bro] Definition of a connection in conn.log

Navraj Singh navraj42 at gmail.com
Fri Mar 25 19:48:04 PDT 2016 

Thanks Johanna! This helps a lot.

On Fri, Mar 25, 2016 at 10:58 AM, Johanna Amann <johanna at icir.org> wrote:

> Hello,
>
> let me try to give a few quick answers to your question.
>
> On Tue, Mar 22, 2016 at 03:00:25PM -0600, Navraj Singh wrote:
> > 1. Is it safe to assume that any given packet will be assigned to at most
> > one connection, and thus to at most one row in conn.log?
>
> No - there is a special case for tunnels, where a connection can be the
> parent of another connection (the child shows its parent in the
> tunnel_parents field of conn.log). In that case, the packet is assigned to
> both the child and the parent.
>
> > 2. Why is it that some rows in conn.log do not have the duration field
> set?
> > I see see several row with a '-' in the duration field.
>
> That should mean that the duration was "0" (e.g. single packet), if I am
> not mistaken.
>
> > 3. The bro documentation states that "For UDP and ICMP, “connections” are
> > to be interpreted using flow semantics (sequence of packets from a source
> > host/port to a destination host/port)." However, what is the exact
> > definition for a TCP flow? How does Bro decide which packets to include
> in
> > a connection?
>
> That s a not quite straightforward to answer question. Generally Bro
> counts connections a 5-tuples; however, there are several timeouts at work
> (after no packets were arrived for a certain amount of time, a connection
> is seen as finished; if theree are new packets, a new connection will
> begin). For TCP, a connection also can be ended by fin and rst packets,
> and a new connection will begin afterwards.
>
> The timeouts are set using configuration variables - e.g. the default
> tcp_inactivity_timeout, after which a TCP connection is considered closed
> when no more packets are seen is 5 minutes. For UDP, it is 1 minute. For
> ICMP it also is one minute.
>
> > 4. For an ongoing 'connection', does Bro wait until the connection is
> over
> > before logging it? What if the connection is quite long in
> duration...won't
> > that cause a lag? Or does Bro automatically chop up long flows based on
> > some configurable limit parameter?
>
> Yup. And you are right, it will cause a lag in logging.
>
> I hope this helps,
>  Johanna
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160325/ebd27dfd/attachment.html

More information about the Bro mailing list