[Bro] Gigamon issues

Carl Rotenan carlrotenan at gmail.com
Thu Jun 7 08:05:48 PDT 2018 

To answer your question, no, I'm not doing anything with the traffic. The
data comes directly from the Gigamon to the Bro box. I think the first
capture is cleaner. When I run it against Suricata I get:

[root at localhost files]# ls -la
total 14916
drwxr-xr-x. 2 root root     204 Jun  4 19:58 .
drwxr-xr-x. 4 root root     139 Jun  4 12:53 ..
-rw-r--r--. 1 root root 7401713 Jun  7 10:55 file.1
-rw-r--r--. 1 root root     888 Jun  7 10:55 file.1.meta
-rw-r--r--. 1 root root 1154140 Jun  7 10:55 file.2
-rw-r--r--. 1 root root     884 Jun  7 10:55 file.2.meta
-rw-r--r--. 1 root root 3897161 Jun  7 10:55 file.3
-rw-r--r--. 1 root root     906 Jun  7 10:55 file.3.meta
-rw-r--r--. 1 root root     129 Jun  5 10:34 file.4
-rw-r--r--. 1 root root     651 Jun  5 10:34 file.4.meta
-rw-r--r--. 1 root root  313584 Jun  5 10:34 file.5
-rw-r--r--. 1 root root     789 Jun  5 10:34 file.5.meta
-rw-r--r--. 1 root root  313584 Jun  5 10:34 file.6
-rw-r--r--. 1 root root     790 Jun  5 10:34 file.6.meta
[root at localhost files]# suricata -v -r ~/04jun2018_01.cap

and no files identify from Bro

cat conn.log | /usr/local/bro/bin/bro-cut missed_bytes | grep -v 0 is clean.

On Thu, Jun 7, 2018 at 9:44 AM, Hosom, Stephen M <hosom at battelle.org> wrote:

> There’s lots of missing data in these captures. Are you doing something
> other than decryption with these packets before Bro gets its hands on them?
>
>
> cat conn.log | bro-cut missed_bytes | grep -v 0
>
> 1871523195
>
> 784491773
>
> 14915895983
>
> 97421147
>
>
> From: <bro-bounces at bro.org> on behalf of Carl Rotenan <
> carlrotenan at gmail.com>
> Date: Monday, June 4, 2018 at 8:38 PM
> To: bro <bro at bro.org>
> Subject: Re: [Bro] Gigamon issues
>
> Message received from outside the Battelle network. Carefully examine it
> before you open any links or attachments.
> Here is a link to the captures that I'm having trouble getting Bro to
> extract,
>
> https://www.dropbox.com/s/suebc590a5yb2ym/caps.zip?dl=0
>
> Wireshark and Suricata are able to retrieve the files, so I'm stymied.
>
> On Mon, Jun 4, 2018 at 11:43 AM, Carl Rotenan <carlrotenan at gmail.com
> <mailto:carlrotenan at gmail.com>> wrote:
> Hello,
>
> I'm trying to extract files from traffic coming from a Gigamon box doing
> SSL decryption, but Bro doesn't seem to like or able to comprehend the
> data. I get the following entries in my weird.log file, does anyone have a
> Gigamon they are able to do this with or any ideas what the logs seem to
> indicate?
>
> Thanks,
>
> Carl
>
> #separator \x09
> #set_separator ,
> #empty_field (empty)
> #unset_field -
> #path weird
> #open 2018-06-04-11-37-09
> #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice
> peer
> #types time string addr port addr port string string bool string
> 1528122717.528452 Cqshm33SbZlmFKbUn2 10.1.10.122 52544 134.213.72.175 80
> SYN_seq_jump - F bro
> 1528122720.752922 Cqshm33SbZlmFKbUn2 10.1.10.122 52544 134.213.72.175 80
> window_recision - F bro
> 1528122782.018423 Ccnbkv2S8zjS0Znc35 10.1.10.122 52545 134.213.72.175 80
> SYN_seq_jump - F bro
> 1528122782.018433 Ccnbkv2S8zjS0Znc35 10.1.10.122 52545 134.213.72.175 80
> TCP_ack_underflow_or_misorder - bro
> 1528122782.237519 Ccnbkv2S8zjS0Znc35 10.1.10.122 52545 134.213.72.175 80
> TCP_seq_underflow_or_misorder - bro
> 1528122805.509482 Cd5o3I37LutpcsMP8a 10.1.10.122 52546 134.213.72.175 80
> SYN_seq_jump - F bro
> 1528122808.723988 Cd5o3I37LutpcsMP8a 10.1.10.122 52546 134.213.72.175 80
> window_recision - F bro
> #close 2018-06-04-11-37-09
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180607/0f05bf58/attachment.html

More information about the Bro mailing list