[Bro] intel.log file stops getting generated.

fatema bannatwala fatema.bannatwala at gmail.com
Wed Jan 25 12:29:44 PST 2017 

Thanks Justin!

Happening again, no intel.log file getting generated (I don't know why poor
intel file getting impacted, n not any other log file :-/ )

Here's the stats (before I go ahead and disable scan.bro, and restart the
cluster)
$ cat conn.log |bro-cut id.resp_p history|fgrep -w S|sort|uniq  -c|sort
-nr|head
 398587 2323    S
 256953 5358    S
 205109 7547    S
 115442 6789    S
 101712 22      S
  97051 81      S
  90099 5800    S
  44297 40884   S
  43943 40876   S
  35522 80      S

$ free
              total        used        free      shared  buff/cache
available
Mem:      131921372   131069700      562628       18476      289044
 223264
Swap:       8388600     4443208     3945392

As it can be seen above, worker1 using almost 100% memory :(

Going to disable scan.bro, and restart the cluster.
Also, will get Munin to have system monitoring graph on the sensors.

Thanks,
Fatema.

On Wed, Jan 25, 2017 at 2:42 PM, Azoff, Justin S <jazoff at illinois.edu>
wrote:

> > On Jan 25, 2017, at 2:06 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
> >
> > Thanks Justin for suggesting some tools :-) will try those (Maybe Munin
> first)
> >
> > Here's the output of the cmds:
> >
> > $ wc -l conn.log
> > 12913751 conn.log
> >
> > $ cat conn.log|bro-cut id.resp_p |fgrep -cw 23
> > 3
> >
> > $ cat conn.log|bro-cut history|sort|uniq  -c |sort -rn|head
> > 4230547 S
> > 2938925 Dd
> > 1059285 ShADadFf
> >  968902 ShADadfF
> >  915401 D
> >  212507 ShAFf
> >  177731 SAF
> >  177359 ShADadFfR
> >  159024 ShADadfFr
> >  140911 ShADdaFf
>
> Interesting, you're not seeing port 23 scans, but you are seeing a lot of
> scans.. 1/3 of your connections are unanswered Syn packets.
>
> This would show what port is being scanned:
>
>     cat conn.log |bro-cut id.resp_p history|fgrep -w S|sort|uniq  -c|sort
> -nr|head
>
> Disabling scan.bro would likely help a lot.
>
> --
> - Justin Azoff
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170125/eee483ee/attachment.html

More information about the Bro mailing list