[Bro] Quick question on conn tracking
Daniel Guerra
daniel.guerra69 at gmail.com
Wed Sep 28 15:40:35 PDT 2016
/usr/local/bro/share/bro/base/init-bare.bro
## If a TCP connection is inactive, time it out after this interval. If 0 secs,
## then don't time it out.
##
## .. bro:see:: udp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout
const tcp_inactivity_timeout = 5 min &redef;
## If a UDP flow is inactive, time it out after this interval. If 0 secs, then
## don't time it out.
##
## .. bro:see:: tcp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout
const udp_inactivity_timeout = 1 min &redef;
## If an ICMP flow is inactive, time it out after this interval. If 0 secs, then
## don't time it out.
##
## .. bro:see:: tcp_inactivity_timeout udp_inactivity_timeout set_inactivity_timeout
const icmp_inactivity_timeout = 1 min &redef;
> On 29 Sep 2016, at 00:28, James Lay <jlay at slave-tothe-box.net> wrote:
>
> On 2016-09-28 16:25, Daniel Guerra wrote:
>> I get the same in elasticsearch.
>> But its got nothing to do with it.
>>
>> Bro seems to split the socket because
>> of the time inbetween the activity.
>>
>> You can avoid this by longer timeouts.
>>
>> It would be better to create a script that
>> keeps track of all ssl connections in
>> memory/broker.
>>
>> I had to convert your dump to tcpdump
>> in order to read it in bro (git)
>>
>>
>>> On 28 Sep 2016, at 21:51, James Lay <jlay at slave-tothe-box.net> wrote:
>>>
>>> Hey all,
>>>
>>> So I'm getting bro and elasticsearch going, with one of the goals of
>>> finding flows with no service field. That being said I am seeing that
>>> long session, at least I THINK that's what I'm seeing, appear to be
>>> counted twice. From conn.log:
>>>
>>> 2016-09-28T12:29:39-0600 192.168.1.101 44083 31.13.76.101 443
>>> tcp ssl 0.214346 460 170 S1 T F
>>> 0 ShADad 8 884 7 542 (empty) -
>>>
>>> 2016-09-28T12:44:39-0600 192.168.1.101 44083 31.13.76.101 443
>>> tcp - 0.016678 31 0 RSTRH T F
>>> 0 fDrAr 2 135 3 132 (empty) -
>>>
>>> I captured the data and I'm enclosing the pcap. Basically, ssl
>>> connection is established at 12:29:39 and is open until Facebook gets
>>> annoyed and FIN-ACK's the session at 12:44:39 (now we know they time
>>> out at exactly 15 minutes). However why does that show as entries as
>>> above? Thanks for any insight.
>>>
>>> James
>
> Thanks Danial. Is there a way to tell bro to have a longer timeout?
> Thank you.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list