[Bro] Connections in conn.log
Johanna Amann
johanna at icir.org
Tue May 30 10:16:06 PDT 2017
On Thu, May 18, 2017 at 05:31:33PM +0200, mike anastasakis wrote:
> Hello,
>
> I have a question regarding how the connections are created in conn.log.
> I thought that the combination tuple o (src_ip, src_port, dest_ip,
> dest_port)was used to define one connection but this is not the case.
It generally kind of should be the case (with certain gotchas).
Connections are only held in memory for a certain amount of time (so you
can get the same 5-tuple after a period of time passes; the period of time
depends on the packets that were seen and on the protocol and can be as
low as a few seconds and as high as a few hours).
In addition, if you are running a Bro cluster, each worker node logs
connections separately.
> The first connection is the one that establishes the ssl connection and the
> other 5 are identified as *OTH *which is No *SYN seen, just midstream
> traffic (a “partial connection” that was not later closed).*
Is this a long-lived connection? Is there a chance that a few minutes
passed without any data inbetween? That would cause Bro to flush out the
connection, forget about it, and then recognize the following packets as a
new connection.
The second possibility is that you have a cluster and that packet
distribution is somehow misconfigured.
That would be my ideas, I hope that helps,
Johanna
More information about the Bro
mailing list