[Bro] Quick question on conn tracking
James Lay
jlay at slave-tothe-box.net
Wed Sep 28 15:43:31 PDT 2016
On 2016-09-28 16:40, Daniel Guerra wrote:
> /usr/local/bro/share/bro/base/init-bare.bro
>
> ## If a TCP connection is inactive, time it out after this interval.
> If 0 secs,
>
> ## then don't time it out.
>
>
> ##
>
>
> ## .. bro:see:: udp_inactivity_timeout icmp_inactivity_timeout
> set_inactivity_timeout
>
> const tcp_inactivity_timeout = 5 min &redef;
>
>
>
>
>
> ## If a UDP flow is inactive, time it out after this interval. If 0
> secs, then
>
> ## don't time it out.
>
>
> ##
>
>
> ## .. bro:see:: tcp_inactivity_timeout icmp_inactivity_timeout
> set_inactivity_timeout
>
> const udp_inactivity_timeout = 1 min &redef;
>
>
>
>
>
> ## If an ICMP flow is inactive, time it out after this interval. If 0
> secs, then
>
> ## don't time it out.
>
>
> ##
>
>
> ## .. bro:see:: tcp_inactivity_timeout udp_inactivity_timeout
> set_inactivity_timeout
>
> const icmp_inactivity_timeout = 1 min &redef;
>
>> On 29 Sep 2016, at 00:28, James Lay <jlay at slave-tothe-box.net> wrote:
>>
>> On 2016-09-28 16:25, Daniel Guerra wrote:
>>> I get the same in elasticsearch.
>>> But its got nothing to do with it.
>>>
>>> Bro seems to split the socket because
>>> of the time inbetween the activity.
>>>
>>> You can avoid this by longer timeouts.
>>>
>>> It would be better to create a script that
>>> keeps track of all ssl connections in
>>> memory/broker.
>>>
>>> I had to convert your dump to tcpdump
>>> in order to read it in bro (git)
>>>
>>>
>>>> On 28 Sep 2016, at 21:51, James Lay <jlay at slave-tothe-box.net>
>>>> wrote:
>>>>
>>>> Hey all,
>>>>
>>>> So I'm getting bro and elasticsearch going, with one of the goals of
>>>> finding flows with no service field. That being said I am seeing
>>>> that
>>>> long session, at least I THINK that's what I'm seeing, appear to be
>>>> counted twice. From conn.log:
>>>>
>>>> 2016-09-28T12:29:39-0600 192.168.1.101 44083 31.13.76.101
>>>> 443
>>>> tcp ssl 0.214346 460 170 S1 T F
>>>> 0 ShADad 8 884 7 542 (empty) -
>>>>
>>>> 2016-09-28T12:44:39-0600 192.168.1.101 44083 31.13.76.101
>>>> 443
>>>> tcp - 0.016678 31 0 RSTRH T F
>>>> 0 fDrAr 2 135 3 132 (empty) -
>>>>
>>>> I captured the data and I'm enclosing the pcap. Basically, ssl
>>>> connection is established at 12:29:39 and is open until Facebook
>>>> gets
>>>> annoyed and FIN-ACK's the session at 12:44:39 (now we know they time
>>>> out at exactly 15 minutes). However why does that show as entries
>>>> as
>>>> above? Thanks for any insight.
>>>>
>>>> James
>>
>> Thanks Danial. Is there a way to tell bro to have a longer timeout?
>> Thank you.
>>
>> James
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
Beautiful thank you....bet I need to redef these and stick it in my
local.bro. Thanks again..helps me make this more awesome :)
James
More information about the Bro
mailing list