[Bro] Quick question on conn tracking
Daniel Guerra
daniel.guerra69 at gmail.com
Thu Sep 29 09:15:10 PDT 2016
It seems to pop up with a few types of history .. here RSTRH
104.70.5.52 (akemai/itunes) has ^fR
> On 29 Sep 2016, at 17:31, James Lay <jlay at slave-tothe-box.net> wrote:
>
> On 2016-09-28 20:29, Seth Hall wrote:
>>> On Sep 28, 2016, at 3:51 PM, James Lay <jlay at slave-tothe-box.net>
>>> wrote:
>>>
>>> 2016-09-28T12:29:39-0600 192.168.1.101 44083 31.13.76.101 443
>>> tcp ssl 0.214346 460 170 S1 T F
>>> 0 ShADad 8 884 7 542 (empty) -
>>>
>>> 2016-09-28T12:44:39-0600 192.168.1.101 44083 31.13.76.101 443
>>> tcp - 0.016678 31 0 RSTRH T F
>>> 0 fDrAr 2 135 3 132 (empty) -
>>
>> Wow, you're actually seeing 15 minute where there are no packets seen
>> in the connection? I'm surprised that Facebook has such a long
>> timeout on their frontend web servers. I would expect that a timeout
>> that long would actually cause quite a few middle boxes quite a bit of
>> consternation as well. :)
>>
>> .Seth
>>
>> --
>> Seth Hall
>> International Computer Science Institute
>> (Bro) because everyone has a network
>> http://www.bro.org/
>
> Heh....spotify is even worse :P
>
> notice.log:1475161562.899483 CPEyXm4oD4iu0xu4v1 192.168.1.101
> 42263 193.235.203.66 4070 - - - tcp
> LongConnection::found 192.168.1.101 -> 193.235.203.66:4070/tcp
> remained alive for longer than 49m42s 2981.66 192.168.1.101
> 193.235.203.66 4070 - bro Notice::ACTION_LOG
> 3600.000000 F - - - - -
>
> CRAZYTOWN!
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list