[Bro] Conn log shows massive file transfer inbetween normal browsing

Eric Hacecky hacecky at jlab.org
Thu May 17 06:47:28 PDT 2018 

I sent a few screenshots and the pcap for 63949 out of band.  3 way handshake not present.

For clarity, the bro conn log is coming from a sensor that is being fed a decrypted stream of 443 traffic.

I run snort/sancp full packet capture on the same box (same stream) and it doesn't have any data for these connections at all.

My other sensor that gets the encrypted traffic does see the connections, which is where I sourced the pcap but as you can see it doesn't show a huge chunk of data like the bro log does.

> Are other connections logged properly by bro ? Connections with a full history of something like ShAdDafF?

In general?  Yes.  I've had bro running at my site for a number of years now.

For these specific connections no.  The only conn state I have for 10.10.10.10 to 20.20.20.20 is S0.

-Eric

----- Original Message -----
From: "Justin S Azoff" <jazoff at illinois.edu>
To: "Eric Hacecky" <hacecky at jlab.org>
Cc: bro at bro.org
Sent: Thursday, May 17, 2018 9:00:15 AM
Subject: Re: [Bro] Conn log shows massive file transfer inbetween normal browsing

> On May 17, 2018, at 8:47 AM, Eric Hacecky <hacecky at jlab.org> wrote:
> 
> Here are the matching source port entries for the last 3 connections.
> 
> The other two from ports 64031 and 64028 did not have any others from those ports.
> 
> The connection IDs are different throughout, I've included them this time around.
> 
> 4:38:31.565 PM	CmtAeYrQjXqUGW4xi	10.10.10.10	63949	20.20.20.20	443	tcp	-	0.015718	616216164	0	S0	T	F	0	Sa	1	48	1	44
> 4:38:22.566 PM	CiyCGi1xwft9PDrqG9	10.10.10.10	63949	20.20.20.20	443	tcp	-	3.013144	616216164	0	S0	T	F	0	Sa	2	104	2	88
> 4:38:31.815 PM	Cv2Tqo4ErGAdpsnth2	10.10.10.10	63951	20.20.20.20	443	tcp	-	0.015764	1834934747	0	S0	T	F	0	Sa	1	48	1	44
> 4:38:22.817 PM	CYpYXo175dS7gtQ1p1	10.10.10.10	63951	20.20.20.20	443	tcp	-	3.011727	1834934747	0	S0	T	F	0	Sa	2	104	2	88
> 4:38:33.098 PM	C3g5Yo4goIOLJEzvSh	10.10.10.10	63962	20.20.20.20	443	tcp	-	0.015809	73288814	0	S0	T	F	0	Sa	1	48	1	44
> 4:38:24.099 PM	Cv9aWbc0kwMKi7BC2	10.10.10.10	63962	20.20.20.20	443	tcp	-	3.007776	73288814	0	S0	T	F	0	Sa	2	104	2	88
> 
> Is there any significance to the orig_bytes and S0 conn state?
> 
> I'm considering filtering these log entires but not sure if I would end up filtering any 'real' traffic in the process.

Now that I look closer at this i think my original comment was wrong, if these were long connections that bro was getting confused about, the history field would be Da (data + ack), not Sa (syn + ack).

Are other connections logged properly by bro ? Connections with a full history of something like ShAdDafF?

would be interesting to see a pcap of the traffic between those two hosts, then you could see if the system is even getting the full 3 way handshake or not.

— 
Justin Azoff

More information about the Bro mailing list