[Bro] binpac exception: out_of_bound: SSLRecord:rec: 41702 > 1350
fatema bannatwala
fatema.bannatwala at gmail.com
Thu Apr 19 12:50:36 PDT 2018
Cool. Thanks Drew.
Yeah, Johanna felt the same, and provided information on what it might be
and could be ignored.
Fatema.
On Thu, Apr 19, 2018 at 3:07 PM, Drew Dixon <dwdixon at umich.edu> wrote:
> Looks like this is probably just QUIC <https://en.wikipedia.org/wiki/QUIC>
> (more here
> <https://docs.google.com/document/d/1lmL9EF6qKrk7gbazY8bIdvq3Pno2Xj_l_YShP40GLQE>)
> traffic which is likely tightly intermixed with various Youtube
> (streaming,uploading,posting, etc.) application traffic via tcp/443 from
> the same IP.
>
> -Drew
>
> On Tue, Apr 17, 2018 at 12:36 PM, Johanna Amann <johanna at icir.org> wrote:
>
>> Oh - interesting, these are udp.
>>
>> In that case I instantly feel much less bad about this. It is probably
>> google experimenting with something. Let me still check if I see that
>> too :)
>>
>> Johanna
>>
>> On 17 Apr 2018, at 9:34, fatema bannatwala wrote:
>>
>> > Hi Johanna,
>> >
>> > Thanks for the response.
>> > I was analyzing these more, and looked in the connection logs to see
>> > which
>> > these corresponds to.
>> > And seeing UDP connections on 443 which are pretty long, and majority
>> > of
>> > dest IPs are Google Inc. owned with some king of video streaming
>> > service, I
>> > think YOUTUBE,
>> > hence was thinking if these weird notices are corresponding to any
>> > DTLS
>> > traffic to those video streaming services provided by Google.
>> > Also, to my notice, no SSL records got logged as well for these, which
>> > I
>> > assumed should have processed by SSL Analyzer. Hmm.
>> >
>> > $ current/*.log | grep "C7lzD74mBAzB4usIHe"
>> > 1523972950.556723 C7lzD74mBAzB4usIHe 128.4.154.42 59835
>> > 64.15.123.22 *443 udp* - 983.275963 2555936
>> > 162005599 SF 417 165405275 (empty) worker-3-12
>> > 1523973692.538113 C7lzD74mBAzB4usIHe 128.4.154.42 59835
>> > 64.15.123.22 443 binpac exception: out_of_bound:
>> > SSLRecord:rec:
>> > 58376 > 1350
>> > 1523973693.501421 C7lzD74mBAzB4usIHe 128.4.154.42 59835
>> > 64.15.123.22 443 binpac exception: out_of_bound:
>> > SSLRecord:rec:
>> > 11466 > 1350
>> >
>> > IP: 64.15.123.22, r7.sn-bvvbax-2iae.googlevideo.com , Aut
>> > onomous_System-YOUTUBE
>> >
>> > Thanks,
>> > Fatema.
>> >
>> > On Tue, Apr 17, 2018 at 12:20 PM, Johanna Amann <johanna at icir.org>
>> > wrote:
>> >
>> >> Hi Fatema,
>> >>
>> >> the answer is that you should not see this happen very often. Let me
>> >> check
>> >> if that is something that I can also observe in our local cluster -
>> >> the
>> >> last time I checked things looked more or less normal.
>> >>
>> >> Johanna
>> >>
>> >> On Tue, Apr 17, 2018 at 09:11:38AM -0400, fatema bannatwala wrote:
>> >>> Hi Everyone,
>> >>>
>> >>> Looking at weird.log file recently showed a lot of weird notices
>> >>> logged
>> >> for
>> >>> the bicpac exception: out_of_bound, specifically for SSLRecord.
>> >>> Hence wanted to ask if these can be safely ignored, or if anything
>> >>> is
>> >>> broken and there are some serious issues with the traffic Bro is
>> >>> seeing.
>> >> :)
>> >>>
>> >>> Here are some of the notices from weird.log:
>> >>>
>> >>> 2018-04-17T09:01:56-0400 CyVf0j1M4RughxzHt4 128.4.61.1
>> >>> 52113 64.15.123.22 443 binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 48205 > 1350 - F worker-3-6
>> >>> 2018-04-17T09:01:56-0400 CyVf0j1M4RughxzHt4 128.4.61.1
>> >>> 52113 64.15.123.22 443 binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 36586 > 1350 - F worker-3-6
>> >>> 2018-04-17T09:02:02-0400 CZlYI32EvsHn4OX81l
>> >>> 128.175.252.224
>> >>> 54493 64.15.123.22 443 binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 17689 > 1350 - F worker-3-7
>> >>> 2018-04-17T09:02:02-0400 CZlYI32EvsHn4OX81l
>> >>> 128.175.252.224
>> >>> 54493 64.15.123.22 443 binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 34801 > 1350 - F worker-3-7
>> >>> 2018-04-17T09:02:03-0400 Cxl308dWBQAhdAuvf 128.4.95.167
>> >>> 61457 64.15.123.23 443 binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 63514 > 1350 - F worker-1-1
>> >>> 2018-04-17T09:02:03-0400 Cxl308dWBQAhdAuvf 128.4.95.167
>> >>> 61457 64.15.123.23 443 binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 4143 > 1350 - F worker-1-1
>> >>> 2018-04-17T09:02:16-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
>> >>> 65054 173.194.205.189 443 binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 13126 > 1350 - F worker-2-19
>> >>> 2018-04-17T09:02:16-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
>> >>> 65054 173.194.205.189 443 binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 13126 > 1261 - F worker-2-19
>> >>> 2018-04-17T09:02:16-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
>> >>> 65054 173.194.205.189 443 binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 63719 > 41 - F worker-2-19
>> >>> 2018-04-17T09:02:16-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
>> >>> 65054 173.194.205.189 443 binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 17744 > 35 - F worker-2-19
>> >>> 2018-04-17T09:02:17-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
>> >>> 65054 173.194.205.189 443 binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 64155 > 38 - F worker-2-19
>> >>> 2018-04-17T09:02:17-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
>> >>> 65054 173.194.205.189 443 binpac exception: out_of_bound:
>> >>> SSLRecord:rec: 54546 > 41 - F worker-2-19
>> >>>
>> >>> Appreciate any insights. :)
>> >>>
>> >>> Thanks!
>> >>> Fatema.
>> >>
>> >>> _______________________________________________
>> >>> Bro mailing list
>> >>> bro at bro-ids.org
>> >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> >>
>> >>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180419/1a946542/attachment-0001.html
More information about the Bro
mailing list