[Bro] Quick question on conn tracking

James Lay jlay at slave-tothe-box.net
Wed Sep 28 15:43:31 PDT 2016 

On 2016-09-28 16:40, Daniel Guerra wrote:
> /usr/local/bro/share/bro/base/init-bare.bro
> 
> ## If a TCP connection is inactive, time it out after this interval.
> If 0 secs,
> 
> ## then don't time it out.
> 
> 
> ##
> 
> 
> ## .. bro:see:: udp_inactivity_timeout icmp_inactivity_timeout
> set_inactivity_timeout
> 
> const tcp_inactivity_timeout = 5 min &redef;
> 
> 
> 
> 
> 
> ## If a UDP flow is inactive, time it out after this interval. If 0
> secs, then
> 
> ## don't time it out.
> 
> 
> ##
> 
> 
> ## .. bro:see:: tcp_inactivity_timeout icmp_inactivity_timeout
> set_inactivity_timeout
> 
> const udp_inactivity_timeout = 1 min &redef;
> 
> 
> 
> 
> 
> ## If an ICMP flow is inactive, time it out after this interval. If 0
> secs, then
> 
> ## don't time it out.
> 
> 
> ##
> 
> 
> ## .. bro:see:: tcp_inactivity_timeout udp_inactivity_timeout
> set_inactivity_timeout
> 
> const icmp_inactivity_timeout = 1 min &redef;
> 
>> On 29 Sep 2016, at 00:28, James Lay <jlay at slave-tothe-box.net> wrote:
>> 
>> On 2016-09-28 16:25, Daniel Guerra wrote:
>>> I get the same in elasticsearch.
>>> But its got nothing to do with it.
>>> 
>>> Bro seems to split the socket because
>>> of the time inbetween the activity.
>>> 
>>> You can avoid this by longer timeouts.
>>> 
>>> It would be better to create a script that
>>> keeps track of all ssl connections in
>>> memory/broker.
>>> 
>>> I had to convert your dump to tcpdump
>>> in order to read it in bro (git)
>>> 
>>> 
>>>> On 28 Sep 2016, at 21:51, James Lay <jlay at slave-tothe-box.net> 
>>>> wrote:
>>>> 
>>>> Hey all,
>>>> 
>>>> So I'm getting bro and elasticsearch going, with one of the goals of
>>>> finding flows with no service field.  That being said I am seeing 
>>>> that
>>>> long session, at least I THINK that's what I'm seeing, appear to be
>>>> counted twice.  From conn.log:
>>>> 
>>>> 2016-09-28T12:29:39-0600  192.168.1.101   44083   31.13.76.101    
>>>> 443
>>>>   tcp     ssl     0.214346        460     170     S1      T       F
>>>>    0       ShADad  8 884      7       542     (empty) -
>>>> 
>>>> 2016-09-28T12:44:39-0600  192.168.1.101   44083   31.13.76.101    
>>>> 443
>>>>   tcp     -       0.016678        31      0       RSTRH   T       F
>>>>    0       fDrAr   2 135      3       132     (empty) -
>>>> 
>>>> I captured the data and I'm enclosing the pcap.  Basically, ssl
>>>> connection is established at 12:29:39 and is open until Facebook 
>>>> gets
>>>> annoyed and FIN-ACK's the session at 12:44:39 (now we know they time
>>>> out at exactly 15 minutes).  However why does that show as entries 
>>>> as
>>>> above?  Thanks for any insight.
>>>> 
>>>> James
>> 
>> Thanks Danial.  Is there a way to tell bro to have a longer timeout?
>> Thank you.
>> 
>> James
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


Beautiful thank you....bet I need to redef these and stick it in my 
local.bro.  Thanks again..helps me make this more awesome :)

James

More information about the Bro mailing list