[Bro] Quick question on conn tracking
James Lay
jlay at slave-tothe-box.net
Wed Sep 28 15:28:46 PDT 2016
On 2016-09-28 16:25, Daniel Guerra wrote:
> I get the same in elasticsearch.
> But its got nothing to do with it.
>
> Bro seems to split the socket because
> of the time inbetween the activity.
>
> You can avoid this by longer timeouts.
>
> It would be better to create a script that
> keeps track of all ssl connections in
> memory/broker.
>
> I had to convert your dump to tcpdump
> in order to read it in bro (git)
>
>
>> On 28 Sep 2016, at 21:51, James Lay <jlay at slave-tothe-box.net> wrote:
>>
>> Hey all,
>>
>> So I'm getting bro and elasticsearch going, with one of the goals of
>> finding flows with no service field. That being said I am seeing that
>> long session, at least I THINK that's what I'm seeing, appear to be
>> counted twice. From conn.log:
>>
>> 2016-09-28T12:29:39-0600 192.168.1.101 44083 31.13.76.101 443
>> tcp ssl 0.214346 460 170 S1 T F
>> 0 ShADad 8 884 7 542 (empty) -
>>
>> 2016-09-28T12:44:39-0600 192.168.1.101 44083 31.13.76.101 443
>> tcp - 0.016678 31 0 RSTRH T F
>> 0 fDrAr 2 135 3 132 (empty) -
>>
>> I captured the data and I'm enclosing the pcap. Basically, ssl
>> connection is established at 12:29:39 and is open until Facebook gets
>> annoyed and FIN-ACK's the session at 12:44:39 (now we know they time
>> out at exactly 15 minutes). However why does that show as entries as
>> above? Thanks for any insight.
>>
>> James
Thanks Danial. Is there a way to tell bro to have a longer timeout?
Thank you.
James
More information about the Bro
mailing list