[Bro] Triplicate Entries in CONN Log
Philip Romero
promero at cenic.org
Wed Jan 3 09:39:20 PST 2018
Seth,
Thanks for the troubleshooting code. It looks like only one interface is
getting the traffic, but all 4 cores assigned are processing the same
traffic individually. I'm still working with my Systems team on the
suggestion from Justin.
$ cat /usr/local/logs/current/conn.log |grep -P '137.164.29.72' |grep -P
'173.245.59.100' |grep '49519'
1515000332.481539 CY3pub5wesleIxzhh 137.164.29.72 49519
173.245.59.100 53 udp dns 0.001269 54 54 SF T
F 0 Dd 1 82 1 82 (empty) worker-4-2
1515000332.481539 CkBMQVujDASjTbiZb 137.164.29.72 49519
173.245.59.100 53 udp dns 0.001269 54 54 SF T
F 0 Dd 1 82 1 82 (empty) worker-4-1
1515000332.481539 CMTY2G1ferRjOZtWz 137.164.29.72 49519
173.245.59.100 53 udp dns 0.001269 54 54 SF T
F 0 Dd 1 82 1 82 (empty) worker-4-4
1515000332.481539 CMj0iL2677DvhMHNue 137.164.29.72 49519
173.245.59.100 53 udp dns 0.001269 54 54 SF T
F 0 Dd 1 82 1 82 (empty) worker-4-3
Philip
On 1/3/18 8:58 AM, Seth Hall wrote:
>
> Your node.cfg is slightly complicated since you're sniffing a number
> of interfaces. I wouldn't be surprised if you're accidentally seeing
> the same traffic on multiple interfaces. Add this little blurb into
> your local.bro...
>
> #### begin ####
> @load base/protocols/conn
>
> export {
> redef record Conn::Info += {
> ## The name of the node where this connection was analyzed.
> node: string &log &optional;
> };
> }
>
> event connection_state_remove(c: connection) &priority=2
> {
> c$conn$node = peer_description;
> }
> #### end ####
>
> That will let you see which node each of your conn log entries was
> being written by. Look at three of the same connections to see if
> they're coming from different workers and let us know.
>
> .Seth
>
> On 2 Jan 2018, at 14:39, Philip Romero wrote:
>
> All,
>
> I did a quick search, but did not see any threads on this type of
> subject, so forgive me if this has already been discussed. We have
> a new bro server being stood up that looks to be creating multiple
> (3) entries for every conn log. Below is a sample of what I'm
> speaking of. We have 4 monitoring interfaces with varying numbers
> of CPU cores assigned to the 4 workers they are associated with.
> The number of entries appears to be related to the number pf_ring
> workers created because I changed the nodes from 3 lb_procs each
> to the below node.cfg config this morning and I am now seeing 1 to
> 5 entries for each log entry.
>
> Would this be an indication that there is a problem with our
> pf_ring setup? How might we confirm what may be causing this?
>
> $ zcat
> /usr/local/logs/2018-01-01/conn.01\:00\:00-02\:00\:00.log.gz
> |bro-cut -d |grep '101.124.88.146'
> 2018-01-01T01:16:50-0800 CxcveSg78Iow3jix 101.124.88.146
> 33589 137.164.29.67 53 udp dns 0.000383 44
> 162 SF F T 0 Dd 72 1 190 (empty)
> 2018-01-01T01:16:50-0800 CbvYq642taiDEEPLwc
> 101.124.88.146 33589 137.164.29.67 53 udp dns
> 0.000383 44 162 SF F T 0 Dd 72 1
> 190 (empty)
> 2018-01-01T01:16:50-0800 CEc8UA2AyEKYDSNiw9
> 101.124.88.146 33589 137.164.29.67 53 udp dns
> 0.000383 44 162 SF F T 0 Dd 72 1
> 190 (empty)
> 2018-01-01T01:17:44-0800 Clg6KI2hLQBShRUxal
> 101.124.88.146 54683 137.145.204.10 53 udp dns
> - - - S0 F F 0 D 1 72 0 0 (empty)
> 2018-01-01T01:17:44-0800 CN1WXh1ae3r9FzXA7d
> 101.124.88.146 54683 137.145.204.10 53 udp dns
> - - - S0 F F 0 D 1 72 0 0 (empty)
> 2018-01-01T01:17:44-0800 C7s9Qp4LPByzC6Gm53
> 101.124.88.146 16779 137.145.204.10 53 udp dns
> - - - S0 F F 0 D 1 82 0 0 (empty)
> 2018-01-01T01:17:44-0800 CHBMNSB9eOhekrAS6 101.124.88.146
> 54683 137.145.204.10 53 udp dns - - -
> S0 F F 0 D 1 72 0 0 (empty)
> 2018-01-01T01:17:44-0800 Cmnrmh2ivDksWcJXLl
> 101.124.88.146 16779 137.145.204.10 53 udp dns
> - - - S0 F F 0 D 1 82 0 0 (empty)
> 2018-01-01T01:17:44-0800 CTCK4qkRHhDz4jLqk 101.124.88.146
> 16779 137.145.204.10 53 udp dns - - -
> S0 F F 0 D 1 82 0 0 (empty)
> 2018-01-01T01:17:45-0800 CZ90QS3RGjHqck8zvc
> 101.124.88.146 26774 137.145.204.10 53 udp dns
> - - - S0 F F 0 D 1 82 0 0 (empty)
> 2018-01-01T01:17:45-0800 C96L6a1YTuUCsvbHRk
> 101.124.88.146 26774 137.145.204.10 53 udp dns
> - - - S0 F F 0 D 1 82 0 0 (empty)
> 2018-01-01T01:17:45-0800 CnP2AnwrmyniFfDBe 101.124.88.146
> 26774 137.145.204.10 53 udp dns - - -
> S0 F F 0 D 1 82 0 0 (empty)
> 2018-01-01T01:17:46-0800 CB5iF7f4hoqrQWiq2 101.124.88.146
> 25389 137.145.204.10 53 udp dns - - -
> S0 F F 0 D 1 72 0 0 (empty)
> 2018-01-01T01:17:46-0800 CkZEAp0saM0cEaTSf 101.124.88.146
> 25389 137.145.204.10 53 udp dns - - -
> S0 F F 0 D 1 72 0 0 (empty)
> 2018-01-01T01:17:46-0800 CQx4sVzjmGlPnAa51 101.124.88.146
> 25389 137.145.204.10 53 udp dns - - -
> S0 F F 0 D 1 72 0 0 (empty)
>
> $ cat /usr/local/etc/node.cfg
> # Example BroControl node configuration.
> #
> # This example has a standalone node ready to go except for
> possibly changing
> # the sniffing interface.
>
> # This is a complete standalone configuration. Most likely you will
> # only need to change the interface.
>
> #[bro]
> #type=standalone
> #host=localhost
> #interface=ens2f0
>
> ## Below is an example clustered configuration. If you use this,
> ## remove the [bro] node above.
>
> #[logger]
> #type=logger
> #host=localhost
> #
> [manager]
> type=manager
> host=localhost
> #
> [proxy-1]
> type=proxy
> host=localhost
> #
> [worker-1]
> lb_method=pf_ring
> lb_procs=1
> #pin_cpus=2,3
> type=worker
> host=localhost
> interface=ens2f0
> #
> [worker-2]
> lb_method=pf_ring
> lb_procs=2
> #pin_cpus=4,5
> type=worker
> host=localhost
> interface=ens2f1
> #
> [worker-3]
> lb_method=pf_ring
> lb_procs=4
> #pin_cpus=2,3
> type=worker
> host=localhost
> interface=ens2f2
> #
> [worker-4]
> lb_method=pf_ring
> lb_procs=5
> #pin_cpus=4,5
> type=worker
> host=localhost
> interface=eno2
>
> --
> Philip Romero, CISSP, CISA
> Sr. Information Security Analyst
> CENIC
> promero at cenic.org
> Phone: (714) 220-3430
> Mobile: (562) 237-9290
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> --
> Seth Hall * Corelight, Inc * www.corelight.com
>
--
Philip Romero, CISSP, CISA
Sr. Information Security Analyst
CENIC
promero at cenic.org
Phone: (714) 220-3430
Mobile: (562) 237-9290
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180103/c25949ce/attachment-0001.html
More information about the Bro
mailing list