[Bro] Bro conn log history questions
Jon Siwek
jsiwek at corelight.com
Fri Jun 8 08:58:06 PDT 2018
On Fri, Jun 1, 2018 at 3:05 PM Chris Herdt <cherdt at umn.edu> wrote:
>
> Sometimes I see multiple R flags in the conn.log history field. Example (field order alphabetized due to attempts to prettify JSON):
> I'm not certain how to interpret this. I assume that means Bro detected multiple RST packets from the originator, but that also contradicts the documentation
Seems like a case of the docs being wrong/outdated. I've changed it:
## If the event comes from the originator, the letter is in
## upper-case; if it comes from the responder, it's in
## lower-case. The 'a', 'c', 'd', 'i', 'q', and 't' flags are
## recorded a maximum of one time in either direction regardless
## of how many are actually seen. However, 'f', 'h', 'r', or
## 's' may be recorded multiple times for either direction and
## only compressed when sharing a sequence number with the
## last-seen packet of the same flag type.
So yeah, I'd interpret multiple 'R' in the history field as "saw at
least that many RST packets from originator that did not share the
same sequence number as the last RST".
> Additionally, I sometimes see an H flag in the conn.log. I would only expect to see a SYN-ACK from the responder, so I'm wondering why Bro's heuristics didn't flip the connection.
Last I recall, it won't flip roles on upon just first witnessing a
SYN-ACK. Some thoughts/history related to that at [1].
So, just glancing at the TCP code seems like the it may record the
history before deciding to flip the roles in at least one situation:
if it first sees a SYN-ACK, it could record 'H", but then later see a
SYN from the peer and decide to flip the roles at that point.
- Jon
[1] https://bro-tracker.atlassian.net/browse/BIT-1236
More information about the Bro
mailing list