[Bro] Conn log shows massive file transfer inbetween normal browsing

Eric Hacecky hacecky at jlab.org
Thu May 17 05:47:06 PDT 2018 

Here are the matching source port entries for the last 3 connections.

The other two from ports 64031 and 64028 did not have any others from those ports.

The connection IDs are different throughout, I've included them this time around.

4:38:31.565 PM	CmtAeYrQjXqUGW4xi	10.10.10.10	63949	20.20.20.20	443	tcp	-	0.015718	616216164	0	S0	T	F	0	Sa	1	48	1	44
4:38:22.566 PM	CiyCGi1xwft9PDrqG9	10.10.10.10	63949	20.20.20.20	443	tcp	-	3.013144	616216164	0	S0	T	F	0	Sa	2	104	2	88
4:38:31.815 PM	Cv2Tqo4ErGAdpsnth2	10.10.10.10	63951	20.20.20.20	443	tcp	-	0.015764	1834934747	0	S0	T	F	0	Sa	1	48	1	44
4:38:22.817 PM	CYpYXo175dS7gtQ1p1	10.10.10.10	63951	20.20.20.20	443	tcp	-	3.011727	1834934747	0	S0	T	F	0	Sa	2	104	2	88
4:38:33.098 PM	C3g5Yo4goIOLJEzvSh	10.10.10.10	63962	20.20.20.20	443	tcp	-	0.015809	73288814	0	S0	T	F	0	Sa	1	48	1	44
4:38:24.099 PM	Cv9aWbc0kwMKi7BC2	10.10.10.10	63962	20.20.20.20	443	tcp	-	3.007776	73288814	0	S0	T	F	0	Sa	2	104	2	88

Is there any significance to the orig_bytes and S0 conn state?

I'm considering filtering these log entires but not sure if I would end up filtering any 'real' traffic in the process.

Eric

----- Original Message -----
From: "Justin S Azoff" <jazoff at illinois.edu>
To: "Eric Hacecky" <hacecky at jlab.org>
Cc: bro at bro.org
Sent: Wednesday, May 16, 2018 5:15:58 PM
Subject: Re: [Bro] Conn log shows massive file transfer inbetween normal browsing

> On May 16, 2018, at 4:54 PM, Eric Hacecky <hacecky at jlab.org> wrote:
> 
> Justin,
> 
> Thanks for the response.
> 
>> You can figure out how high it needs to be based on how frequently you are seeing that connection logged.
> 
> Here are some more of the logs (chopped down for readability).  You can see there are multiple "large transfers" in a small time window, less than 5 minutes.  Does this mean setting the window higher isn't going to make a difference since I'm already seeing connections more frequently than 5 minutes?
> 
> 4:38:33.098 PM	-  10.10.10.10	63962	20.20.20.20	443	tcp	-	0.015809	73288814	0	S0
> 4:38:31.815 PM	-  10.10.10.10	63951	20.20.20.20	443	tcp	-	0.015764	1834934747	0	S0
> 4:38:31.565 PM	-  10.10.10.10	63949	20.20.20.20	443	tcp	-	0.015718	616216164	0	S0
> 4:38:28.952 PM	-  10.10.10.10	64031	20.20.20.20	443	tcp	-	3.014994	1213244309	0	S0
> 4:38:28.701 PM	-  10.10.10.10	64028	20.20.20.20	443	tcp	-	3.023816	1777413339	0	S0
> 4:38:28.329 PM	-  10.10.10.10	64024	20.20.20.20	443	TCP_ack_underflow_or_misorder	-	F	worker-2
> 4:38:28.313 PM	-  10.10.10.10	64024	20.20.20.20	443	tcp	-	3.017128	0	0	S0
> 4:38:28.272 PM	-  10.10.10.10	64022	20.20.20.20	443	TCP_ack_underflow_or_misorder	-	F	worker-2
> 4:38:28.257 PM	-  10.10.10.10	64022	20.20.20.20	443	tcp	-	3.010362	0	0	S0

hmm, that is showing 7 different tcp source ports, so this wouldn't be the same connection.  If you search for 63949 do you find earlier matches?

> 
> I included the tcp_ack_underflow_or_misorder from weird log too in case that sheds any light.
> 
> -Eric

It's probably realted..

— 
Justin Azoff

More information about the Bro mailing list