[Bro] Conn log shows massive file transfer inbetween normal browsing
Eric Hacecky
hacecky at jlab.org
Wed May 16 12:25:13 PDT 2018
I'm having some anomalies in my conn.log.
Scenario:
Internal host on my network (10.10.10.10) is browsing autotrader (20.20.20.20)
Inbetween normal bro logs for the related traffic, I have things like this showing up:
// conn.log
1524177777.577777 Ccq8hi7x7jIegYyKE7 10.10.10.10 63971 20.20.20.20 443 tcp - 0.015780 1284714853 0 S0 T F 0 Sa 1 48 1 44 (empty)
As I'm reading this, it shows my internal host sent ~1.2gigs of data in .015 seconds to this external host.
S0 for the conn_state "Connection attempt seen, no reply."
So bro thinks my host tried to send 1.2 gigs off-site but failed? (there are many more similar log entries for the same host)
Any ideas what can cause this?
Thanks,
Eric
More information about the Bro
mailing list