[Bro] Conn log shows massive file transfer inbetween normal browsing
Eric Hacecky
hacecky at jlab.org
Thu May 17 06:47:28 PDT 2018
I sent a few screenshots and the pcap for 63949 out of band. 3 way handshake not present.
For clarity, the bro conn log is coming from a sensor that is being fed a decrypted stream of 443 traffic.
I run snort/sancp full packet capture on the same box (same stream) and it doesn't have any data for these connections at all.
My other sensor that gets the encrypted traffic does see the connections, which is where I sourced the pcap but as you can see it doesn't show a huge chunk of data like the bro log does.
> Are other connections logged properly by bro ? Connections with a full history of something like ShAdDafF?
In general? Yes. I've had bro running at my site for a number of years now.
For these specific connections no. The only conn state I have for 10.10.10.10 to 20.20.20.20 is S0.
-Eric
----- Original Message -----
From: "Justin S Azoff" <jazoff at illinois.edu>
To: "Eric Hacecky" <hacecky at jlab.org>
Cc: bro at bro.org
Sent: Thursday, May 17, 2018 9:00:15 AM
Subject: Re: [Bro] Conn log shows massive file transfer inbetween normal browsing
> On May 17, 2018, at 8:47 AM, Eric Hacecky <hacecky at jlab.org> wrote:
>
> Here are the matching source port entries for the last 3 connections.
>
> The other two from ports 64031 and 64028 did not have any others from those ports.
>
> The connection IDs are different throughout, I've included them this time around.
>
> 4:38:31.565 PM CmtAeYrQjXqUGW4xi 10.10.10.10 63949 20.20.20.20 443 tcp - 0.015718 616216164 0 S0 T F 0 Sa 1 48 1 44
> 4:38:22.566 PM CiyCGi1xwft9PDrqG9 10.10.10.10 63949 20.20.20.20 443 tcp - 3.013144 616216164 0 S0 T F 0 Sa 2 104 2 88
> 4:38:31.815 PM Cv2Tqo4ErGAdpsnth2 10.10.10.10 63951 20.20.20.20 443 tcp - 0.015764 1834934747 0 S0 T F 0 Sa 1 48 1 44
> 4:38:22.817 PM CYpYXo175dS7gtQ1p1 10.10.10.10 63951 20.20.20.20 443 tcp - 3.011727 1834934747 0 S0 T F 0 Sa 2 104 2 88
> 4:38:33.098 PM C3g5Yo4goIOLJEzvSh 10.10.10.10 63962 20.20.20.20 443 tcp - 0.015809 73288814 0 S0 T F 0 Sa 1 48 1 44
> 4:38:24.099 PM Cv9aWbc0kwMKi7BC2 10.10.10.10 63962 20.20.20.20 443 tcp - 3.007776 73288814 0 S0 T F 0 Sa 2 104 2 88
>
> Is there any significance to the orig_bytes and S0 conn state?
>
> I'm considering filtering these log entires but not sure if I would end up filtering any 'real' traffic in the process.
Now that I look closer at this i think my original comment was wrong, if these were long connections that bro was getting confused about, the history field would be Da (data + ack), not Sa (syn + ack).
Are other connections logged properly by bro ? Connections with a full history of something like ShAdDafF?
would be interesting to see a pcap of the traffic between those two hosts, then you could see if the system is even getting the full 3 way handshake or not.
—
Justin Azoff
More information about the Bro
mailing list