[Bro] Conn log shows massive file transfer inbetween normal browsing

[Azoff, Justin S]

> On May 17, 2018, at 8:47 AM, Eric Hacecky <hacecky at jlab.org> wrote:
> 
> Here are the matching source port entries for the last 3 connections.
> 
> The other two from ports 64031 and 64028 did not have any others from those ports.
> 
> The connection IDs are different throughout, I've included them this time around.
> 
> 4:38:31.565 PM	CmtAeYrQjXqUGW4xi	10.10.10.10	63949	20.20.20.20	443	tcp	-	0.015718	616216164	0	S0	T	F	0	Sa	1	48	1	44
> 4:38:22.566 PM	CiyCGi1xwft9PDrqG9	10.10.10.10	63949	20.20.20.20	443	tcp	-	3.013144	616216164	0	S0	T	F	0	Sa	2	104	2	88
> 4:38:31.815 PM	Cv2Tqo4ErGAdpsnth2	10.10.10.10	63951	20.20.20.20	443	tcp	-	0.015764	1834934747	0	S0	T	F	0	Sa	1	48	1	44
> 4:38:22.817 PM	CYpYXo175dS7gtQ1p1	10.10.10.10	63951	20.20.20.20	443	tcp	-	3.011727	1834934747	0	S0	T	F	0	Sa	2	104	2	88
> 4:38:33.098 PM	C3g5Yo4goIOLJEzvSh	10.10.10.10	63962	20.20.20.20	443	tcp	-	0.015809	73288814	0	S0	T	F	0	Sa	1	48	1	44
> 4:38:24.099 PM	Cv9aWbc0kwMKi7BC2	10.10.10.10	63962	20.20.20.20	443	tcp	-	3.007776	73288814	0	S0	T	F	0	Sa	2	104	2	88
> 
> Is there any significance to the orig_bytes and S0 conn state?
> 
> I'm considering filtering these log entires but not sure if I would end up filtering any 'real' traffic in the process.

Now that I look closer at this i think my original comment was wrong, if these were long connections that bro was getting confused about, the history field would be Da (data + ack), not Sa (syn + ack).

Are other connections logged properly by bro ? Connections with a full history of something like ShAdDafF?

would be interesting to see a pcap of the traffic between those two hosts, then you could see if the system is even getting the full 3 way handshake or not.

— 
Justin Azoff