[Bro] Connections in conn.log
Marcin Nawrocki
marcin.nawrocki at fu-berlin.de
Fri May 19 10:21:36 PDT 2017
Hello bro community,
are all connection attempts recorded in conn.log? Let us assume I am
monitoring interface eth0, will I see every connection in this log file ...
* ...independent of the transport layer protocol (udp,tcp,mptcp...)
and its properties (ports)
* ...independent of firewalls like iptables blocking incoming packets
on eth0
* ...independent of firewalls like iptables forwarding incoming
packets on eth0 to special targets like NFQUEUE and libnetfilter_queue
Regards, Marcin
Am 18-May-17 um 17:31 schrieb mike anastasakis:
> Hello,
>
> I have a question regarding how the connections are created in conn.log.
> I thought that the combination tuple o (src_ip, src_port, dest_ip,
> dest_port)was used to define one connection but this is not the case.
>
> From my conn.log file I have 6 connections with 6 unique
> different uids but with the same exact combination tuple mentioned above.
>
> The first connection is the one that establishes the ssl connection
> and the other 5 are identified as *OTH *which is No /SYN seen, just
> midstream traffic (a “partial connection” that was not later closed)./
> /
> /
> Are they not all included in the same connection because bro did not
> identify the ssl connection closing? If so, does this mean that bro
> considers a flow as a unique connection if there is a problem protocol
> beggining and ending?
>
>
> Kind Regards,
> Michael
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170519/017105ca/attachment.html
More information about the Bro
mailing list