[Bro] Conn log shows massive file transfer inbetween normal browsing
Azoff, Justin S
jazoff at illinois.edu
Wed May 16 14:15:58 PDT 2018
> On May 16, 2018, at 4:54 PM, Eric Hacecky <hacecky at jlab.org> wrote:
>
> Justin,
>
> Thanks for the response.
>
>> You can figure out how high it needs to be based on how frequently you are seeing that connection logged.
>
> Here are some more of the logs (chopped down for readability). You can see there are multiple "large transfers" in a small time window, less than 5 minutes. Does this mean setting the window higher isn't going to make a difference since I'm already seeing connections more frequently than 5 minutes?
>
> 4:38:33.098 PM - 10.10.10.10 63962 20.20.20.20 443 tcp - 0.015809 73288814 0 S0
> 4:38:31.815 PM - 10.10.10.10 63951 20.20.20.20 443 tcp - 0.015764 1834934747 0 S0
> 4:38:31.565 PM - 10.10.10.10 63949 20.20.20.20 443 tcp - 0.015718 616216164 0 S0
> 4:38:28.952 PM - 10.10.10.10 64031 20.20.20.20 443 tcp - 3.014994 1213244309 0 S0
> 4:38:28.701 PM - 10.10.10.10 64028 20.20.20.20 443 tcp - 3.023816 1777413339 0 S0
> 4:38:28.329 PM - 10.10.10.10 64024 20.20.20.20 443 TCP_ack_underflow_or_misorder - F worker-2
> 4:38:28.313 PM - 10.10.10.10 64024 20.20.20.20 443 tcp - 3.017128 0 0 S0
> 4:38:28.272 PM - 10.10.10.10 64022 20.20.20.20 443 TCP_ack_underflow_or_misorder - F worker-2
> 4:38:28.257 PM - 10.10.10.10 64022 20.20.20.20 443 tcp - 3.010362 0 0 S0
hmm, that is showing 7 different tcp source ports, so this wouldn't be the same connection. If you search for 63949 do you find earlier matches?
>
> I included the tcp_ack_underflow_or_misorder from weird log too in case that sheds any light.
>
> -Eric
It's probably realted..
—
Justin Azoff
More information about the Bro
mailing list