[Bro] Quick question on conn tracking
Daniel Guerra
daniel.guerra69 at gmail.com
Wed Sep 28 15:25:52 PDT 2016
I get the same in elasticsearch.
But its got nothing to do with it.
Bro seems to split the socket because
of the time inbetween the activity.
You can avoid this by longer timeouts.
It would be better to create a script that
keeps track of all ssl connections in
memory/broker.
I had to convert your dump to tcpdump
in order to read it in bro (git)
> On 28 Sep 2016, at 21:51, James Lay <jlay at slave-tothe-box.net> wrote:
>
> Hey all,
>
> So I'm getting bro and elasticsearch going, with one of the goals of finding flows with no service field. That being said I am seeing that long session, at least I THINK that's what I'm seeing, appear to be counted twice. From conn.log:
>
> 2016-09-28T12:29:39-0600 192.168.1.101 44083 31.13.76.101 443 tcp ssl 0.214346 460 170 S1 T F 0 ShADad 8 884 7 542 (empty) -
>
> 2016-09-28T12:44:39-0600 192.168.1.101 44083 31.13.76.101 443 tcp - 0.016678 31 0 RSTRH T F 0 fDrAr 2 135 3 132 (empty) -
>
> I captured the data and I'm enclosing the pcap. Basically, ssl connection is established at 12:29:39 and is open until Facebook gets annoyed and FIN-ACK's the session at 12:44:39 (now we know they time out at exactly 15 minutes). However why does that show as entries as above? Thanks for any insight.
>
> James<192.168.1.101.pcapng>_______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list