[Bro] binpac exception: out_of_bound: SSLRecord:rec: 41702 > 1350

Johanna Amann johanna at icir.org
Tue Apr 17 09:36:55 PDT 2018 

Oh - interesting, these are udp.

In that case I instantly feel much less bad about this. It is probably 
google experimenting with something. Let me still check if I see that 
too :)

Johanna

On 17 Apr 2018, at 9:34, fatema bannatwala wrote:

> Hi Johanna,
>
> Thanks for the response.
> I was analyzing these more, and looked in the connection logs to see 
> which
> these corresponds to.
> And seeing UDP connections on 443 which are pretty long, and majority 
> of
> dest IPs are Google Inc. owned with some king of video streaming 
> service, I
> think YOUTUBE,
> hence was thinking if these weird notices are corresponding to any 
> DTLS
> traffic to those video streaming services provided by Google.
> Also, to my notice, no SSL records got logged as well for these, which 
> I
> assumed should have processed by SSL Analyzer. Hmm.
>
> $ current/*.log | grep "C7lzD74mBAzB4usIHe"
> 1523972950.556723       C7lzD74mBAzB4usIHe      128.4.154.42    59835
>  64.15.123.22    *443     udp*     -       983.275963      2555936
> 162005599       SF    417     165405275       (empty) worker-3-12
> 1523973692.538113       C7lzD74mBAzB4usIHe      128.4.154.42    59835
>  64.15.123.22    443     binpac exception: out_of_bound: 
> SSLRecord:rec:
> 58376 > 1350
> 1523973693.501421       C7lzD74mBAzB4usIHe      128.4.154.42    59835
>  64.15.123.22    443     binpac exception: out_of_bound: 
> SSLRecord:rec:
> 11466 > 1350
>
> IP:  64.15.123.22, r7.sn-bvvbax-2iae.googlevideo.com , Aut
> onomous_System-YOUTUBE
>
> Thanks,
> Fatema.
>
> On Tue, Apr 17, 2018 at 12:20 PM, Johanna Amann <johanna at icir.org> 
> wrote:
>
>> Hi Fatema,
>>
>> the answer is that you should not see this happen very often. Let me 
>> check
>> if that is something that I can also observe in our local cluster - 
>> the
>> last time I checked things looked more or less normal.
>>
>> Johanna
>>
>> On Tue, Apr 17, 2018 at 09:11:38AM -0400, fatema bannatwala wrote:
>>> Hi Everyone,
>>>
>>> Looking at weird.log file recently showed a lot of weird notices 
>>> logged
>> for
>>> the bicpac exception: out_of_bound, specifically for SSLRecord.
>>> Hence wanted to ask if these can be safely ignored, or if anything 
>>> is
>>> broken and there are some serious issues with the traffic Bro is 
>>> seeing.
>> :)
>>>
>>> Here are some of the notices from weird.log:
>>>
>>> 2018-04-17T09:01:56-0400        CyVf0j1M4RughxzHt4      128.4.61.1
>>> 52113   64.15.123.22    443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 48205 > 1350     -       F       worker-3-6
>>> 2018-04-17T09:01:56-0400        CyVf0j1M4RughxzHt4      128.4.61.1
>>> 52113   64.15.123.22    443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 36586 > 1350     -       F       worker-3-6
>>> 2018-04-17T09:02:02-0400        CZlYI32EvsHn4OX81l      
>>> 128.175.252.224
>>> 54493   64.15.123.22    443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 17689 > 1350     -       F       worker-3-7
>>> 2018-04-17T09:02:02-0400        CZlYI32EvsHn4OX81l      
>>> 128.175.252.224
>>> 54493   64.15.123.22    443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 34801 > 1350     -       F       worker-3-7
>>> 2018-04-17T09:02:03-0400        Cxl308dWBQAhdAuvf       128.4.95.167
>>> 61457   64.15.123.23    443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 63514 > 1350     -       F       worker-1-1
>>> 2018-04-17T09:02:03-0400        Cxl308dWBQAhdAuvf       128.4.95.167
>>> 61457   64.15.123.23    443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 4143 > 1350      -       F       worker-1-1
>>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 13126 > 1350     -       F       worker-2-19
>>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 13126 > 1261     -       F       worker-2-19
>>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 63719 > 41       -       F       worker-2-19
>>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 17744 > 35       -       F       worker-2-19
>>> 2018-04-17T09:02:17-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 64155 > 38       -       F       worker-2-19
>>> 2018-04-17T09:02:17-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>> SSLRecord:rec: 54546 > 41       -       F       worker-2-19
>>>
>>> Appreciate any insights. :)
>>>
>>> Thanks!
>>> Fatema.
>>
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>

More information about the Bro mailing list