[Bro] Different Connection UID when using different modus
Assaf
assaf.morami at gmail.com
Fri Jun 29 08:46:12 PDT 2018
This is a wanted behavior by BRO.
Using the seeds options won't help either.
What I did to fix this is create a script that on new_connection()
overrides c$uid to my own uid (some deterministic calculation with the
connection's ts,ips,ports and proto),
and then @load this script from your script.
This is how I manage to get the same uid for the same connection in the
same pcap across different BRO runs.
On Fri, Jun 29, 2018 at 6:18 PM DW <brot212 at googlemail.com> wrote:
> Hi there,
>
> I wrote a little script to keep track of some values send between to two
> PLCs, measuring the pressure of a compressor. To test it, I recorded the
> data traffic between those PLCs with wireshark.
>
> However, I noticed that if I run Bro as command-line-utility, all
> packets belong to the same Connection UID (which is right, it's one
> single TCP connection), like this:
> 1524935590.861128 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
> 192.168.0.20 102 Abfall 3.028429
> 1524935592.240910 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
> 192.168.0.20 102 Abfall 2.936921
> 1524935593.510075 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
> 192.168.0.20 102 Abfall 2.855541
> 1524935594.644501 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
> 192.168.0.20 102 Abfall 2.78682
> 1524935595.890453 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
> 192.168.0.20 102 Abfall 2.762949
> 1524935597.034076 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
> 192.168.0.20 102 Anstieg 2.765842
> 1524935598.310198 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
> 192.168.0.20 102 Anstieg 2.772352
> 1524935599.455176 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
> 192.168.0.20 102 Anstieg 2.777778
> 1524935600.715050 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
> 192.168.0.20 102 Anstieg 2.783203
> 1524935601.858465 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
> 192.168.0.20 102 Anstieg 2.78899
> 1524935603.105988 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
> 192.168.0.20 102 Anstieg 2.794777
> 1524935604.263663 C0A3ti4l4OfYaOOY2h 192.168.0.2 49153
> 192.168.0.20 102 Anstieg 2.798756
>
>
> If I replay the pcap with tcpreplay and use Bro with BroCtl, the
> connection UID changes every 4 to 5 packets:
>
> 1530283326.472442 C0RGCfPjoO1qjgaB3 192.168.0.2 49153
> 192.168.0.20 102 Abfall 3.028429
> 1530283327.851737 ClqAHP3vbrPywNYyBl 192.168.0.2 49153
> 192.168.0.20 102 Abfall 2.936921
> 1530283329.200584 ClqAHP3vbrPywNYyBl 192.168.0.2 49153
> 192.168.0.20 102 Abfall 2.855541
> 1530283330.327749 ClqAHP3vbrPywNYyBl 192.168.0.2 49153
> 192.168.0.20 102 Abfall 2.78682
> 1530283331.575829 ClqAHP3vbrPywNYyBl 192.168.0.2 49153
> 192.168.0.20 102 Abfall 2.762949
> 1530283332.723797 ClqAHP3vbrPywNYyBl 192.168.0.2 49153
> 192.168.0.20 102 Anstieg 2.765842
> 1530283333.995711 CHT44c1znQoXygQZFh 192.168.0.2 49153
> 192.168.0.20 102 Anstieg 2.772352
> 1530283335.139726 CHT44c1znQoXygQZFh 192.168.0.2 49153
> 192.168.0.20 102 Anstieg 2.777778
> 1530283336.399753 CHT44c1znQoXygQZFh 192.168.0.2 49153
> 192.168.0.20 102 Anstieg 2.783203
> 1530283337.547808 CHT44c1znQoXygQZFh 192.168.0.2 49153
> 192.168.0.20 102 Anstieg 2.78899
> 1530283338.791763 CoRELlzadjrZDCds2 192.168.0.2 49153
> 192.168.0.20 102 Anstieg 2.794777
> 1530283339.947775 CoRELlzadjrZDCds2 192.168.0.2 49153
> 192.168.0.20 102 Anstieg 2.798756
>
> Could it be because I'm using tcpreplay? Or is it a wanted behavior of Bro?
>
> Thanks!
>
> Dane
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180629/04e7af9a/attachment-0001.html
More information about the Bro
mailing list