[Bro] binpac exception: out_of_bound: SSLRecord:rec: 41702 > 1350

fatema bannatwala fatema.bannatwala at gmail.com
Thu Apr 19 14:50:18 PDT 2018 

Thanks Mike. I captured a small pcap from the sensor, and analysed it with
wireshark, which classified the traffic
as encrypted QUIC payload.
Unfortunately when ran with the Bro 2.5.1 install on the system in offline
mode,
it didn't generate those weird alerts, maybe because the traffic captured
was for just couple of minutes.
Hence, Johanna and I concluded that Google might be experimenting with the
UDP port 443 and it's the cause of those alerts. :)

I haven't tried the QUIC analyzer though, will try that next!

Thanks,
Fatema.


On Thu, Apr 19, 2018 at 4:07 PM, Mike Dopheide <dopheide at gmail.com> wrote:

> If you have a pcap and you bro-pkg you can install the basic QUIC analyzer
> and verify.  (Or I can if you are comfortable sending a small sample).
>
> -Dop
>
> On Thu, Apr 19, 2018 at 2:50 PM, fatema bannatwala <
> fatema.bannatwala at gmail.com> wrote:
>
>> Cool. Thanks Drew.
>> Yeah, Johanna felt the same, and provided information on what it might be
>> and could be ignored.
>>
>> Fatema.
>>
>> On Thu, Apr 19, 2018 at 3:07 PM, Drew Dixon <dwdixon at umich.edu> wrote:
>>
>>> Looks like this is probably just QUIC
>>> <https://en.wikipedia.org/wiki/QUIC> (more here
>>> <https://docs.google.com/document/d/1lmL9EF6qKrk7gbazY8bIdvq3Pno2Xj_l_YShP40GLQE>)
>>> traffic which is likely tightly intermixed with various Youtube
>>> (streaming,uploading,posting, etc.) application traffic via tcp/443 from
>>> the same IP.
>>>
>>> -Drew
>>>
>>> On Tue, Apr 17, 2018 at 12:36 PM, Johanna Amann <johanna at icir.org>
>>> wrote:
>>>
>>>> Oh - interesting, these are udp.
>>>>
>>>> In that case I instantly feel much less bad about this. It is probably
>>>> google experimenting with something. Let me still check if I see that
>>>> too :)
>>>>
>>>> Johanna
>>>>
>>>> On 17 Apr 2018, at 9:34, fatema bannatwala wrote:
>>>>
>>>> > Hi Johanna,
>>>> >
>>>> > Thanks for the response.
>>>> > I was analyzing these more, and looked in the connection logs to see
>>>> > which
>>>> > these corresponds to.
>>>> > And seeing UDP connections on 443 which are pretty long, and majority
>>>> > of
>>>> > dest IPs are Google Inc. owned with some king of video streaming
>>>> > service, I
>>>> > think YOUTUBE,
>>>> > hence was thinking if these weird notices are corresponding to any
>>>> > DTLS
>>>> > traffic to those video streaming services provided by Google.
>>>> > Also, to my notice, no SSL records got logged as well for these,
>>>> which
>>>> > I
>>>> > assumed should have processed by SSL Analyzer. Hmm.
>>>> >
>>>> > $ current/*.log | grep "C7lzD74mBAzB4usIHe"
>>>> > 1523972950.556723       C7lzD74mBAzB4usIHe      128.4.154.42    59835
>>>> >  64.15.123.22    *443     udp*     -       983.275963      2555936
>>>> > 162005599       SF    417     165405275       (empty) worker-3-12
>>>> > 1523973692.538113       C7lzD74mBAzB4usIHe      128.4.154.42    59835
>>>> >  64.15.123.22    443     binpac exception: out_of_bound:
>>>> > SSLRecord:rec:
>>>> > 58376 > 1350
>>>> > 1523973693.501421       C7lzD74mBAzB4usIHe      128.4.154.42    59835
>>>> >  64.15.123.22    443     binpac exception: out_of_bound:
>>>> > SSLRecord:rec:
>>>> > 11466 > 1350
>>>> >
>>>> > IP:  64.15.123.22, r7.sn-bvvbax-2iae.googlevideo.com , Aut
>>>> > onomous_System-YOUTUBE
>>>> >
>>>> > Thanks,
>>>> > Fatema.
>>>> >
>>>> > On Tue, Apr 17, 2018 at 12:20 PM, Johanna Amann <johanna at icir.org>
>>>> > wrote:
>>>> >
>>>> >> Hi Fatema,
>>>> >>
>>>> >> the answer is that you should not see this happen very often. Let me
>>>> >> check
>>>> >> if that is something that I can also observe in our local cluster -
>>>> >> the
>>>> >> last time I checked things looked more or less normal.
>>>> >>
>>>> >> Johanna
>>>> >>
>>>> >> On Tue, Apr 17, 2018 at 09:11:38AM -0400, fatema bannatwala wrote:
>>>> >>> Hi Everyone,
>>>> >>>
>>>> >>> Looking at weird.log file recently showed a lot of weird notices
>>>> >>> logged
>>>> >> for
>>>> >>> the bicpac exception: out_of_bound, specifically for SSLRecord.
>>>> >>> Hence wanted to ask if these can be safely ignored, or if anything
>>>> >>> is
>>>> >>> broken and there are some serious issues with the traffic Bro is
>>>> >>> seeing.
>>>> >> :)
>>>> >>>
>>>> >>> Here are some of the notices from weird.log:
>>>> >>>
>>>> >>> 2018-04-17T09:01:56-0400        CyVf0j1M4RughxzHt4      128.4.61.1
>>>> >>> 52113   64.15.123.22    443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 48205 > 1350     -       F       worker-3-6
>>>> >>> 2018-04-17T09:01:56-0400        CyVf0j1M4RughxzHt4      128.4.61.1
>>>> >>> 52113   64.15.123.22    443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 36586 > 1350     -       F       worker-3-6
>>>> >>> 2018-04-17T09:02:02-0400        CZlYI32EvsHn4OX81l
>>>> >>> 128.175.252.224
>>>> >>> 54493   64.15.123.22    443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 17689 > 1350     -       F       worker-3-7
>>>> >>> 2018-04-17T09:02:02-0400        CZlYI32EvsHn4OX81l
>>>> >>> 128.175.252.224
>>>> >>> 54493   64.15.123.22    443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 34801 > 1350     -       F       worker-3-7
>>>> >>> 2018-04-17T09:02:03-0400        Cxl308dWBQAhdAuvf       128.4.95.167
>>>> >>> 61457   64.15.123.23    443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 63514 > 1350     -       F       worker-1-1
>>>> >>> 2018-04-17T09:02:03-0400        Cxl308dWBQAhdAuvf       128.4.95.167
>>>> >>> 61457   64.15.123.23    443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 4143 > 1350      -       F       worker-1-1
>>>> >>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 13126 > 1350     -       F       worker-2-19
>>>> >>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 13126 > 1261     -       F       worker-2-19
>>>> >>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 63719 > 41       -       F       worker-2-19
>>>> >>> 2018-04-17T09:02:16-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 17744 > 35       -       F       worker-2-19
>>>> >>> 2018-04-17T09:02:17-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 64155 > 38       -       F       worker-2-19
>>>> >>> 2018-04-17T09:02:17-0400        Cn3rHuB9LlM3YfTd1       128.4.62.54
>>>> >>>  65054   173.194.205.189 443     binpac exception: out_of_bound:
>>>> >>> SSLRecord:rec: 54546 > 41       -       F       worker-2-19
>>>> >>>
>>>> >>> Appreciate any insights. :)
>>>> >>>
>>>> >>> Thanks!
>>>> >>> Fatema.
>>>> >>
>>>> >>> _______________________________________________
>>>> >>> Bro mailing list
>>>> >>> bro at bro-ids.org
>>>> >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>> >>
>>>> >>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>
>>>
>>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180419/45dc4d5d/attachment-0001.html

More information about the Bro mailing list