[Bro] Quick question on conn tracking
James Lay
jlay at slave-tothe-box.net
Thu Sep 29 08:31:58 PDT 2016
On 2016-09-28 20:29, Seth Hall wrote:
>> On Sep 28, 2016, at 3:51 PM, James Lay <jlay at slave-tothe-box.net>
>> wrote:
>>
>> 2016-09-28T12:29:39-0600 192.168.1.101 44083 31.13.76.101 443
>> tcp ssl 0.214346 460 170 S1 T F
>> 0 ShADad 8 884 7 542 (empty) -
>>
>> 2016-09-28T12:44:39-0600 192.168.1.101 44083 31.13.76.101 443
>> tcp - 0.016678 31 0 RSTRH T F
>> 0 fDrAr 2 135 3 132 (empty) -
>
> Wow, you're actually seeing 15 minute where there are no packets seen
> in the connection? I'm surprised that Facebook has such a long
> timeout on their frontend web servers. I would expect that a timeout
> that long would actually cause quite a few middle boxes quite a bit of
> consternation as well. :)
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
Heh....spotify is even worse :P
notice.log:1475161562.899483 CPEyXm4oD4iu0xu4v1 192.168.1.101
42263 193.235.203.66 4070 - - - tcp
LongConnection::found 192.168.1.101 -> 193.235.203.66:4070/tcp
remained alive for longer than 49m42s 2981.66 192.168.1.101
193.235.203.66 4070 - bro Notice::ACTION_LOG
3600.000000 F - - - - -
CRAZYTOWN!
James
More information about the Bro
mailing list