[Bro] binpac exception: out_of_bound: SSLRecord:rec: 41702 > 1350
fatema bannatwala
fatema.bannatwala at gmail.com
Thu Apr 19 14:50:18 PDT 2018
Thanks Mike. I captured a small pcap from the sensor, and analysed it with
wireshark, which classified the traffic
as encrypted QUIC payload.
Unfortunately when ran with the Bro 2.5.1 install on the system in offline
mode,
it didn't generate those weird alerts, maybe because the traffic captured
was for just couple of minutes.
Hence, Johanna and I concluded that Google might be experimenting with the
UDP port 443 and it's the cause of those alerts. :)
I haven't tried the QUIC analyzer though, will try that next!
Thanks,
Fatema.
On Thu, Apr 19, 2018 at 4:07 PM, Mike Dopheide <dopheide at gmail.com> wrote:
> If you have a pcap and you bro-pkg you can install the basic QUIC analyzer
> and verify. (Or I can if you are comfortable sending a small sample).
>
> -Dop
>
> On Thu, Apr 19, 2018 at 2:50 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
>
>> Cool. Thanks Drew.
>> Yeah, Johanna felt the same, and provided information on what it might be
>> and could be ignored.
>>
>> Fatema.
>>
>> On Thu, Apr 19, 2018 at 3:07 PM, Drew Dixon <dwdixon at umich.edu> wrote:
>>
>>> Looks like this is probably just QUIC
>>> <https://en.wikipedia.org/wiki/QUIC> (more here
>>> <https://docs.google.com/document/d/1lmL9EF6qKrk7gbazY8bIdvq3Pno2Xj_l_YShP40GLQE>)
>>> traffic which is likely tightly intermixed with various Youtube
>>> (streaming,uploading,posting, etc.) application traffic via tcp/443 from
>>> the same IP.
>>>
>>> -Drew
>>>
>>> On Tue, Apr 17, 2018 at 12:36 PM, Johanna Amann <johanna at icir.org>
>>> wrote:
>>>
>>>> Oh - interesting, these are udp.
>>>>
>>>> In that case I instantly feel much less bad about this. It is probably
>>>> google experimenting with something. Let me still check if I see that
>>>> too :)
>>>>
>>>> Johanna
>>>>
>>>> On 17 Apr 2018, at 9:34, fatema bannatwala wrote:
>>>>
>>>> > Hi Johanna,
>>>> >
>>>> > Thanks for the response.
>>>> > I was analyzing these more, and looked in the connection logs to see
>>>> > which
>>>> > these corresponds to.
>>>> > And seeing UDP connections on 443 which are pretty long, and majority
>>>> > of
>>>> > dest IPs are Google Inc. owned with some king of video streaming
>>>> > service, I
>>>> > think YOUTUBE,
>>>> > hence was thinking if these weird notices are corresponding to any
>>>> > DTLS
>>>> > traffic to those video streaming services provided by Google.
>>>> > Also, to my notice, no SSL records got logged as well for these,
>>>> which
>>>> > I
>>>> > assumed should have processed by SSL Analyzer. Hmm.
>>>> >
>>>> > $ current/*.log | grep "C7lzD74mBAzB4usIHe"
>>>> > 1523972950.556723 C7lzD74mBAzB4usIHe 128.4.154.42 59835
>>>> > 64.15.123.22 *443 udp* - 983.275963 2555936
>>>> > 162005599 SF 417 165405275 (empty) worker-3-12
>>>> > 1523973692.538113 C7lzD74mBAzB4usIHe 128.4.154.42 59835
>>>> > 64.15.123.22 443 binpac exception: out_of_bound:
>>>> > SSLRecord:rec:
>>>> > 58376 > 1350
>>>> > 1523973693.501421 C7lzD74mBAzB4usIHe 128.4.154.42 59835
>>>> > 64.15.123.22 443 binpac exception: out_of_bound:
>>>> > SSLRecord:rec:
>>>> > 11466 > 1350
>>>> >
>>>> > IP: 64.15.123.22, r7.sn-bvvbax-2iae.googlevideo.com , Aut
>>>> > onomous_System-YOUTUBE
>>>> >
>>>> > Thanks,
>>>> > Fatema.
>>>> >
>>>> > On Tue, Apr 17, 2018 at 12:20 PM, Johanna Amann <johanna at icir.org>
>>>> > wrote:
>>>> >
>>>> >> Hi Fatema,
>>>> >>
>>>> >> the answer is that you should not see this happen very often. Let me
>>>> >> check
>>>> >> if that is something that I can also observe in our local cluster -
>>>> >> the
>>>> >> last time I checked things looked more or less normal.
>>>> >>
>>>> >> Johanna
>>>> >>
>>>> >> On Tue, Apr 17, 2018 at 09:11:38AM -0400, fatema bannatwala wrote:
>>>> >>> Hi Everyone,
>>>> >>>
>>>> >>> Looking at weird.log file recently showed a lot of weird notices
>>>> >>> logged
>>>> >> for
>>>> >>> the bicpac exception: out_of_bound, specifically for SSLRecord.
>>>> >>> Hence wanted to ask if these can be safely ignored, or if anything
>>>> >>> is
>>>> >>> broken and there are some serious issues with the traffic Bro is
>>>> >>> seeing.
>>>> >> :)
>>>> >>>
>>>> >>> Here are some of the notices from weird.log:
>>>> >>>
>>>> >>> 2018-04-17T09:01:56-0400 CyVf0j1M4RughxzHt4 128.4.61.1
>>>> >>> 52113 64.15.123.22 443 binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 48205 > 1350 - F worker-3-6
>>>> >>> 2018-04-17T09:01:56-0400 CyVf0j1M4RughxzHt4 128.4.61.1
>>>> >>> 52113 64.15.123.22 443 binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 36586 > 1350 - F worker-3-6
>>>> >>> 2018-04-17T09:02:02-0400 CZlYI32EvsHn4OX81l
>>>> >>> 128.175.252.224
>>>> >>> 54493 64.15.123.22 443 binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 17689 > 1350 - F worker-3-7
>>>> >>> 2018-04-17T09:02:02-0400 CZlYI32EvsHn4OX81l
>>>> >>> 128.175.252.224
>>>> >>> 54493 64.15.123.22 443 binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 34801 > 1350 - F worker-3-7
>>>> >>> 2018-04-17T09:02:03-0400 Cxl308dWBQAhdAuvf 128.4.95.167
>>>> >>> 61457 64.15.123.23 443 binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 63514 > 1350 - F worker-1-1
>>>> >>> 2018-04-17T09:02:03-0400 Cxl308dWBQAhdAuvf 128.4.95.167
>>>> >>> 61457 64.15.123.23 443 binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 4143 > 1350 - F worker-1-1
>>>> >>> 2018-04-17T09:02:16-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
>>>> >>> 65054 173.194.205.189 443 binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 13126 > 1350 - F worker-2-19
>>>> >>> 2018-04-17T09:02:16-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
>>>> >>> 65054 173.194.205.189 443 binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 13126 > 1261 - F worker-2-19
>>>> >>> 2018-04-17T09:02:16-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
>>>> >>> 65054 173.194.205.189 443 binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 63719 > 41 - F worker-2-19
>>>> >>> 2018-04-17T09:02:16-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
>>>> >>> 65054 173.194.205.189 443 binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 17744 > 35 - F worker-2-19
>>>> >>> 2018-04-17T09:02:17-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
>>>> >>> 65054 173.194.205.189 443 binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 64155 > 38 - F worker-2-19
>>>> >>> 2018-04-17T09:02:17-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54
>>>> >>> 65054 173.194.205.189 443 binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 54546 > 41 - F worker-2-19
>>>> >>>
>>>> >>> Appreciate any insights. :)
>>>> >>>
>>>> >>> Thanks!
>>>> >>> Fatema.
>>>> >>
>>>> >>> _______________________________________________
>>>> >>> Bro mailing list
>>>> >>> bro at bro-ids.org
>>>> >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>> >>
>>>> >>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>
>>>
>>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180419/45dc4d5d/attachment-0001.html
More information about the Bro
mailing list