[Bro] Connections in conn.log

Johanna Amann johanna at icir.org
Tue May 30 10:20:20 PDT 2017


On Fri, May 19, 2017 at 07:21:36PM +0200, Marcin Nawrocki wrote:
> Hello bro community,
> 
> are all connection attempts recorded in conn.log? Let us assume I am
> monitoring interface eth0, will I see every connection in this log file ...
> 
>   * ...independent of the transport layer protocol (udp,tcp,mptcp...) and
> its properties (ports)

Kind of. The underlying transport protocol has to be supported by Bro, so
you are limited to udp and tcp.

>   * ...independent of firewalls like iptables blocking incoming packets on
> eth0

Bro will log information about the packets that are delivered to it.
Hence, this depends on your system configuration; if you use a mechanism
that delivers packets to Bro even if iptables has block rules on the
interface, yes; if no then no. That being said, I think that iptables
rules are generally ignored in promiscuous mode.

>   * ...independent of firewalls like iptables forwarding incoming packets on
> eth0 to special targets like NFQUEUE and libnetfilter_queue

Same answer as to the last question - Bro sees whatever libpcap (or
whatever packet source you use) feeds to it.

I hope this helps,
 Johanna


More information about the Bro mailing list