[Bro] Quick question on conn tracking
James Lay
jlay at slave-tothe-box.net
Wed Sep 28 12:51:17 PDT 2016
Hey all,
So I'm getting bro and elasticsearch going, with one of the goals of
finding flows with no service field. That being said I am seeing that
long session, at least I THINK that's what I'm seeing, appear to be
counted twice. From conn.log:
2016-09-28T12:29:39-0600 192.168.1.101 44083 31.13.76.101 443
tcp ssl 0.214346 460 170 S1 T F
0 ShADad 8 884 7 542 (empty) -
2016-09-28T12:44:39-0600 192.168.1.101 44083 31.13.76.101 443
tcp - 0.016678 31 0 RSTRH T F
0 fDrAr 2 135 3 132 (empty) -
I captured the data and I'm enclosing the pcap. Basically, ssl
connection is established at 12:29:39 and is open until Facebook gets
annoyed and FIN-ACK's the session at 12:44:39 (now we know they time out
at exactly 15 minutes). However why does that show as entries as above?
Thanks for any insight.
James
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/octet-stream
Size: 3408 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160928/b74ae04c/attachment.obj
More information about the Bro
mailing list