[Bro] binpac exception: out_of_bound: SSLRecord:rec: 41702 > 1350
fatema bannatwala
fatema.bannatwala at gmail.com
Tue Apr 17 09:34:12 PDT 2018
Hi Johanna,
Thanks for the response.
I was analyzing these more, and looked in the connection logs to see which
these corresponds to.
And seeing UDP connections on 443 which are pretty long, and majority of
dest IPs are Google Inc. owned with some king of video streaming service, I
think YOUTUBE,
hence was thinking if these weird notices are corresponding to any DTLS
traffic to those video streaming services provided by Google.
Also, to my notice, no SSL records got logged as well for these, which I
assumed should have processed by SSL Analyzer. Hmm.
$ current/*.log | grep "C7lzD74mBAzB4usIHe"
1523972950.556723 C7lzD74mBAzB4usIHe 128.4.154.42 59835
64.15.123.22 *443 udp* - 983.275963 2555936
162005599 SF 417 165405275 (empty) worker-3-12
1523973692.538113 C7lzD74mBAzB4usIHe 128.4.154.42 59835
64.15.123.22 443 binpac exception: out_of_bound: SSLRecord:rec:
58376 > 1350
1523973693.501421 C7lzD74mBAzB4usIHe 128.4.154.42 59835
64.15.123.22 443 binpac exception: out_of_bound: SSLRecord:rec:
11466 > 1350
IP: 64.15.123.22, r7.sn-bvvbax-2iae.googlevideo.com , Aut
onomous_System-YOUTUBE
Thanks,
Fatema.
On Tue, Apr 17, 2018 at 12:20 PM, Johanna Amann <johanna at icir.org> wrote:
> Hi Fatema,
>
> the answer is that you should not see this happen very often. Let me check
> if that is something that I can also observe in our local cluster - the
> last time I checked things looked more or less normal.
>
> Johanna
>
> On Tue, Apr 17, 2018 at 09:11:38AM -0400, fatema bannatwala wrote:
> > Hi Everyone,
> >
> > Looking at weird.log file recently showed a lot of weird notices logged
> for
> > the bicpac exception: out_of_bound, specifically for SSLRecord.
> > Hence wanted to ask if these can be safely ignored, or if anything is
> > broken and there are some serious issues with the traffic Bro is seeing.
> :)
> >
> > Here are some of the notices from weird.log:
> >
> > 2018-04-17T09:01:56-0400 CyVf0j1M4RughxzHt4 128.4.61.1
> > 52113 64.15.123.22 443 binpac exception: out_of_bound:
> > SSLRecord:rec: 48205 > 1350 - F worker-3-6
> > 2018-04-17T09:01:56-0400 CyVf0j1M4RughxzHt4 128.4.61.1
> > 52113 64.15.123.22 443 binpac exception: out_of_bound:
> > SSLRecord:rec: 36586 > 1350 - F worker-3-6
> > 2018-04-17T09:02:02-0400 CZlYI32EvsHn4OX81l 128.175.252.224
> > 54493 64.15.123.22 443 binpac exception: out_of_bound:
> > SSLRecord:rec: 17689 > 1350 - F worker-3-7
> > 2018-04-17T09:02:02-0400 CZlYI32EvsHn4OX81l 128.175.252.224
> > 54493 64.15.123.22 443 binpac exception: out_of_bound:
> > SSLRecord:rec: 34801 > 1350 - F worker-3-7
> > 2018-04-17T09:02:03-0400 Cxl308dWBQAhdAuvf 128.4.95.167
> > 61457 64.15.123.23 443 binpac exception: out_of_bound:
> > SSLRecord:rec: 63514 > 1350 - F worker-1-1
> > 2018-04-17T09:02:03-0400 Cxl308dWBQAhdAuvf 128.4.95.167
> > 61457 64.15.123.23 443 binpac exception: out_of_bound:
> > SSLRecord:rec: 4143 > 1350 - F worker-1-1
> > 2018-04-17T09:02:16-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
> > 65054 173.194.205.189 443 binpac exception: out_of_bound:
> > SSLRecord:rec: 13126 > 1350 - F worker-2-19
> > 2018-04-17T09:02:16-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
> > 65054 173.194.205.189 443 binpac exception: out_of_bound:
> > SSLRecord:rec: 13126 > 1261 - F worker-2-19
> > 2018-04-17T09:02:16-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
> > 65054 173.194.205.189 443 binpac exception: out_of_bound:
> > SSLRecord:rec: 63719 > 41 - F worker-2-19
> > 2018-04-17T09:02:16-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
> > 65054 173.194.205.189 443 binpac exception: out_of_bound:
> > SSLRecord:rec: 17744 > 35 - F worker-2-19
> > 2018-04-17T09:02:17-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
> > 65054 173.194.205.189 443 binpac exception: out_of_bound:
> > SSLRecord:rec: 64155 > 38 - F worker-2-19
> > 2018-04-17T09:02:17-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
> > 65054 173.194.205.189 443 binpac exception: out_of_bound:
> > SSLRecord:rec: 54546 > 41 - F worker-2-19
> >
> > Appreciate any insights. :)
> >
> > Thanks!
> > Fatema.
>
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180417/996adac9/attachment-0001.html
More information about the Bro
mailing list