[Bro] Split-ed connection for some UDP traffic?
fatema bannatwala
fatema.bannatwala at gmail.com
Tue Jul 25 06:12:50 PDT 2017
Hey all,
Just had a recent case where we started to see in the bro conn logs traffic
originating from src port 389 for some of the systems,
and I scratching my head thinking why would the ldap server initiate the
UDP "connection" (I know that's not a correct term to use here),
looking more into the logs, realized that, it is actually the response from
the server, that Bro is logging in a complete new connection, for example:
1500927487.398576 CLr9ebnHeAYNOGzei 24.132.204.62 41600 128.175.235.216
389 udp - 93.677712 39999 0 S0 F T 0 D 597 56715 0 0
(empty)
1500927487.404591 CapBfs1lhI2XFt4gJb 128.175.235.216 389 24.132.204.62
41600 udp - 93.672242 1773687 0 S0 T F 0 D 597
1790403 0 0 (empty)
Here, in the above case, shouldn't Bro be logging only a single connection
with src: 24.132.204.62 and dest: 128.175.235.216, with History 'Dd' ? or I
might be missing
something important here :)
Thanks,
Fatema.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170725/aff40d27/attachment.html
More information about the Bro
mailing list