[Bro] Connections in conn.log
mike anastasakis
anastasakis62 at gmail.com
Thu May 18 08:31:33 PDT 2017
Hello,
I have a question regarding how the connections are created in conn.log.
I thought that the combination tuple o (src_ip, src_port, dest_ip,
dest_port)was used to define one connection but this is not the case.
>From my conn.log file I have 6 connections with 6 unique different uids but
with the same exact combination tuple mentioned above.
The first connection is the one that establishes the ssl connection and the
other 5 are identified as *OTH *which is No *SYN seen, just midstream
traffic (a “partial connection” that was not later closed).*
Are they not all included in the same connection because bro did not
identify the ssl connection closing? If so, does this mean that bro
considers a flow as a unique connection if there is a problem protocol
beggining and ending?
Kind Regards,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170518/bb0c4511/attachment.html
More information about the Bro
mailing list