[Bro] Conn log shows massive file transfer inbetween normal browsing

Eric Hacecky hacecky at jlab.org
Wed May 16 13:54:54 PDT 2018 

Justin,

Thanks for the response.

> You can figure out how high it needs to be based on how frequently you are seeing that connection logged.

Here are some more of the logs (chopped down for readability).  You can see there are multiple "large transfers" in a small time window, less than 5 minutes.  Does this mean setting the window higher isn't going to make a difference since I'm already seeing connections more frequently than 5 minutes?

4:38:33.098 PM	-  10.10.10.10	63962	20.20.20.20	443	tcp	-	0.015809	73288814	0	S0
4:38:31.815 PM	-  10.10.10.10	63951	20.20.20.20	443	tcp	-	0.015764	1834934747	0	S0
4:38:31.565 PM	-  10.10.10.10	63949	20.20.20.20	443	tcp	-	0.015718	616216164	0	S0
4:38:28.952 PM	-  10.10.10.10	64031	20.20.20.20	443	tcp	-	3.014994	1213244309	0	S0
4:38:28.701 PM	-  10.10.10.10	64028	20.20.20.20	443	tcp	-	3.023816	1777413339	0	S0
4:38:28.329 PM	-  10.10.10.10	64024	20.20.20.20	443	TCP_ack_underflow_or_misorder	-	F	worker-2
4:38:28.313 PM	-  10.10.10.10	64024	20.20.20.20	443	tcp	-	3.017128	0	0	S0
4:38:28.272 PM	-  10.10.10.10	64022	20.20.20.20	443	TCP_ack_underflow_or_misorder	-	F	worker-2
4:38:28.257 PM	-  10.10.10.10	64022	20.20.20.20	443	tcp	-	3.010362	0	0	S0


I included the tcp_ack_underflow_or_misorder from weird log too in case that sheds any light.

-Eric

----- Original Message -----
From: "Justin S Azoff" <jazoff at illinois.edu>
To: "Eric Hacecky" <hacecky at jlab.org>
Cc: bro at bro.org
Sent: Wednesday, May 16, 2018 4:05:03 PM
Subject: Re: [Bro] Conn log shows massive file transfer inbetween normal browsing

> On May 16, 2018, at 3:25 PM, Eric Hacecky <hacecky at jlab.org> wrote:
> 
> I'm having some anomalies in my conn.log.
> 
> Scenario:
> 
> Internal host on my network (10.10.10.10) is browsing autotrader (20.20.20.20)
> 
> Inbetween normal bro logs for the related traffic, I have things like this showing up:
> 
> // conn.log
> 1524177777.577777	Ccq8hi7x7jIegYyKE7	10.10.10.10	63971	20.20.20.20	443	tcp	-	0.015780	1284714853	0	S0	T	F	0	Sa	1	48	1	44	(empty)
> 
> 
> As I'm reading this, it shows my internal host sent ~1.2gigs of data in .015 seconds to this external host.
> 
> S0 for the conn_state "Connection attempt seen, no reply."
> 
> 
> So bro thinks my host tried to send 1.2 gigs off-site but failed? (there are many more similar log entries for the same host)
> 
> Any ideas what can cause this?
> 
> Thanks,
> Eric

that's probably a websocket connection or something that is idle for long periods of time.  Since it's idle for so long bro is assuming the connection ended and is then getting confused when they start talking again.  You can fix it by redeffing this value to be higher:

## If a TCP connection is inactive, time it out after this interval. If 0 secs,
## then don't time it out.
##
## .. bro:see:: udp_inactivity_timeout icmp_inactivity_timeout set_inactivity_timeout
const tcp_inactivity_timeout = 5 min &redef;

You can figure out how high it needs to be based on how frequently you are seeing that connection logged. 

— 
Justin Azoff

More information about the Bro mailing list