[Bro] Connections in conn.log

mike anastasakis anastasakis62 at gmail.com
Thu May 18 08:31:33 PDT 2017


Hello,

I have a question regarding how the connections are created in conn.log.
I thought that the combination tuple o (src_ip, src_port, dest_ip,
dest_port)was used to define one connection but this is not the case.

>From my conn.log file I have 6 connections with 6 unique different uids but
with the same exact combination tuple mentioned above.

The first connection is the one that establishes the ssl connection and the
other 5 are identified as *OTH *which is No *SYN seen, just midstream
traffic (a “partial connection” that was not later closed).*

Are they not all included in the same connection because bro did not
identify the ssl connection closing? If so, does this mean that bro
considers a flow as a unique connection if there is a problem protocol
beggining and ending?


Kind Regards,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170518/bb0c4511/attachment.html 


More information about the Bro mailing list