[Bro] binpac exception: out_of_bound: SSLRecord:rec: 41702 > 1350
Drew Dixon
dwdixon at umich.edu
Thu Apr 19 12:07:34 PDT 2018
Looks like this is probably just QUIC
<https://en.wikipedia.org/wiki/QUIC> (more
here
<https://docs.google.com/document/d/1lmL9EF6qKrk7gbazY8bIdvq3Pno2Xj_l_YShP40GLQE>)
traffic which is likely tightly intermixed with various Youtube
(streaming,uploading,posting, etc.) application traffic via tcp/443 from
the same IP.
-Drew
On Tue, Apr 17, 2018 at 12:36 PM, Johanna Amann <johanna at icir.org> wrote:
> Oh - interesting, these are udp.
>
> In that case I instantly feel much less bad about this. It is probably
> google experimenting with something. Let me still check if I see that
> too :)
>
> Johanna
>
> On 17 Apr 2018, at 9:34, fatema bannatwala wrote:
>
> > Hi Johanna,
> >
> > Thanks for the response.
> > I was analyzing these more, and looked in the connection logs to see
> > which
> > these corresponds to.
> > And seeing UDP connections on 443 which are pretty long, and majority
> > of
> > dest IPs are Google Inc. owned with some king of video streaming
> > service, I
> > think YOUTUBE,
> > hence was thinking if these weird notices are corresponding to any
> > DTLS
> > traffic to those video streaming services provided by Google.
> > Also, to my notice, no SSL records got logged as well for these, which
> > I
> > assumed should have processed by SSL Analyzer. Hmm.
> >
> > $ current/*.log | grep "C7lzD74mBAzB4usIHe"
> > 1523972950.556723 C7lzD74mBAzB4usIHe 128.4.154.42 59835
> > 64.15.123.22 *443 udp* - 983.275963 2555936
> > 162005599 SF 417 165405275 (empty) worker-3-12
> > 1523973692.538113 C7lzD74mBAzB4usIHe 128.4.154.42 59835
> > 64.15.123.22 443 binpac exception: out_of_bound:
> > SSLRecord:rec:
> > 58376 > 1350
> > 1523973693.501421 C7lzD74mBAzB4usIHe 128.4.154.42 59835
> > 64.15.123.22 443 binpac exception: out_of_bound:
> > SSLRecord:rec:
> > 11466 > 1350
> >
> > IP: 64.15.123.22, r7.sn-bvvbax-2iae.googlevideo.com , Aut
> > onomous_System-YOUTUBE
> >
> > Thanks,
> > Fatema.
> >
> > On Tue, Apr 17, 2018 at 12:20 PM, Johanna Amann <johanna at icir.org>
> > wrote:
> >
> >> Hi Fatema,
> >>
> >> the answer is that you should not see this happen very often. Let me
> >> check
> >> if that is something that I can also observe in our local cluster -
> >> the
> >> last time I checked things looked more or less normal.
> >>
> >> Johanna
> >>
> >> On Tue, Apr 17, 2018 at 09:11:38AM -0400, fatema bannatwala wrote:
> >>> Hi Everyone,
> >>>
> >>> Looking at weird.log file recently showed a lot of weird notices
> >>> logged
> >> for
> >>> the bicpac exception: out_of_bound, specifically for SSLRecord.
> >>> Hence wanted to ask if these can be safely ignored, or if anything
> >>> is
> >>> broken and there are some serious issues with the traffic Bro is
> >>> seeing.
> >> :)
> >>>
> >>> Here are some of the notices from weird.log:
> >>>
> >>> 2018-04-17T09:01:56-0400 CyVf0j1M4RughxzHt4 128.4.61.1
> >>> 52113 64.15.123.22 443 binpac exception: out_of_bound:
> >>> SSLRecord:rec: 48205 > 1350 - F worker-3-6
> >>> 2018-04-17T09:01:56-0400 CyVf0j1M4RughxzHt4 128.4.61.1
> >>> 52113 64.15.123.22 443 binpac exception: out_of_bound:
> >>> SSLRecord:rec: 36586 > 1350 - F worker-3-6
> >>> 2018-04-17T09:02:02-0400 CZlYI32EvsHn4OX81l
> >>> 128.175.252.224
> >>> 54493 64.15.123.22 443 binpac exception: out_of_bound:
> >>> SSLRecord:rec: 17689 > 1350 - F worker-3-7
> >>> 2018-04-17T09:02:02-0400 CZlYI32EvsHn4OX81l
> >>> 128.175.252.224
> >>> 54493 64.15.123.22 443 binpac exception: out_of_bound:
> >>> SSLRecord:rec: 34801 > 1350 - F worker-3-7
> >>> 2018-04-17T09:02:03-0400 Cxl308dWBQAhdAuvf 128.4.95.167
> >>> 61457 64.15.123.23 443 binpac exception: out_of_bound:
> >>> SSLRecord:rec: 63514 > 1350 - F worker-1-1
> >>> 2018-04-17T09:02:03-0400 Cxl308dWBQAhdAuvf 128.4.95.167
> >>> 61457 64.15.123.23 443 binpac exception: out_of_bound:
> >>> SSLRecord:rec: 4143 > 1350 - F worker-1-1
> >>> 2018-04-17T09:02:16-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
> >>> 65054 173.194.205.189 443 binpac exception: out_of_bound:
> >>> SSLRecord:rec: 13126 > 1350 - F worker-2-19
> >>> 2018-04-17T09:02:16-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
> >>> 65054 173.194.205.189 443 binpac exception: out_of_bound:
> >>> SSLRecord:rec: 13126 > 1261 - F worker-2-19
> >>> 2018-04-17T09:02:16-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
> >>> 65054 173.194.205.189 443 binpac exception: out_of_bound:
> >>> SSLRecord:rec: 63719 > 41 - F worker-2-19
> >>> 2018-04-17T09:02:16-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
> >>> 65054 173.194.205.189 443 binpac exception: out_of_bound:
> >>> SSLRecord:rec: 17744 > 35 - F worker-2-19
> >>> 2018-04-17T09:02:17-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
> >>> 65054 173.194.205.189 443 binpac exception: out_of_bound:
> >>> SSLRecord:rec: 64155 > 38 - F worker-2-19
> >>> 2018-04-17T09:02:17-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
> >>> 65054 173.194.205.189 443 binpac exception: out_of_bound:
> >>> SSLRecord:rec: 54546 > 41 - F worker-2-19
> >>>
> >>> Appreciate any insights. :)
> >>>
> >>> Thanks!
> >>> Fatema.
> >>
> >>> _______________________________________________
> >>> Bro mailing list
> >>> bro at bro-ids.org
> >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>
> >>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180419/9bc7b605/attachment.html
More information about the Bro
mailing list