Dear list,
I'm having trouble understanding some log entries from my conn.log. I
already learned from this mailing list that bro cannot surely detect who
initiated a connection if it does not see the initial connection setup,
which seems logical to me.
But if I look to my conn.log file, I find entries like these:
1446190221.687738 Cbu3fj3FYdODxvLF1h 87.152.221.xxx 50993
192.168.100.yyy 36709 tcp ssl 122.745965 1238 5340
S1 F T 0 ShAD
ad 20 2050 19 6112 (empty)
1446190138.746769 CykNrp4VEfzbrJ2vm6 87.152.221.xxx 50993
192.168.100.yyy 36679 tcp ssl 223.406750 1384 18908
S1 F T 0 ShAD ad 39 2956 36
20360 (empty)
It looks like our IMAP server (87.152.221.xxx running on port 50993)
initiated a connection to my notebook (192.168.100.yyy). That should not
be possible due to lack of port forwarding for this connection.
So my first guess is that bro didn't see the initial connection setup
(midstream traffic, OTH state). But I took a look into the documentation
on https://www.bro.org/sphinx/scripts/base/protocols/conn/main.bro.html
regarding the reported states (S1), which says:
S1 Connection established, not terminated.
This looks to me like bro saw the connection setup. Or did I get
something wrong here?
Oh and by the way: the next paragraph reads:
SF Normal establishment and termination. Note that this is the same
symbol as for state S1. You can tell the two apart because for S1 there
will not be any byte counts in the summary, while for SF there will be.
I don't understand this. Do S1 and SF really only differ in byte count
zero or non-zero? It seems to me that they also differ in "connection
still alive" and "connection was terminated".
Looking further trough the logs, I also find entries with "SF" flag in
whuch source and destination seem twisted:
1445338094.186121 C9uuKp4dE9nrHo46bd 87.152.220.xxx 50993
192.168.100.yyy 20108 tcp -462.348551 401 754 SF
F T 0 DdAfFa 13 921 12 1234 (empty)
Does anybody have a hint? Did I misunderstand something?
I'm running bro 2.4.1.
Thanks a lot!
Sven
Hi all,
My goal is to integrate a new protocol analyzer in Bro. This protocol
(PROFINET dyscovery and Basic Configuration Protocol) is working on layer
2. My question is, are there special considerations to get at the data of
the layer 2? My colleague has tried creating an analyzer by following your
instructions for coding an analyzer by binpac. Before he went on vacation,
he told me, he could access data with binpac of layer 3 but not of layer
2? Is that correct? If so does it work with the new binpac ++? Any pieces
of advice or suggestions how to get started would be greatly appreciated.
Kind regards
Marcel Odenwald
Hello List,
I am developing a Bro analyzer plugin and I have the following issue. The
analyzer logs events into three different logfiles, one of which keeps
crashing with this error:
Reporter::ERROR s7data/Log::WRITER_ASCII: terminating thread
This happens before the first event is logged, however the headers are
already written into the logfile. I am fairly new to the Bro development so
it might be some obvious mistake I make, but I could not find any solution
on the internet.
I have attached the following files:
init_part.bro: the relevant part of the script, used for the logging
reporter.log: logfile that contains the error
s7data.log: the logfile that causes the crash
debug_s7data.log: relevant part of the debug.log file, when bro was run
with -B threading switch
strace_4938: relevant part of the strace -f output
When creating the attached logs bro-2.4 was used, but I tested the analyzer
with bro-2.4.1 as well and the problem persists.
I hope someone can point out the origin of the error and help me resolve
this issue.
Thanks,
Gyorgy Miru
Heya,
>From the guide to the various log files
(https://www.bro.org/sphinx/script-reference/log-files.html) and some
example files I've accumulated it looks like nested fields are
represented in "flat" log files with period delimiters. So the orig_h
field within the id field becomes id.orig_h. Is this correct?
At the same time I'm seeing files with underscores instead of periods.
>From what I can see on this mailing list and elsewhere, this is a
logging setting - people can switch out periods for underscores to
cover the situation where the software they read the logs /into/ does
not like periods.
My question: can I expect this to be consistent? In other words, for
files to either use periods or underscores, but not both at once?
Dear broers,
I'm currently working on a project involving Bro's core.
The idea is to adapt Bro into another architecture and
reusing the Protocol Analyser as well as the event
engine (not only developing plugins). The problem is
that I cannot find enough information on the
GitHub/Bro.org web sites. Even In the Doxygen there
is no information about the architecture in details
(Classes involved etc). So I was wandering if some of
you guys had those kind of documents ? If not I'll
gladly edit them for you if someone helps me with the
architecture details.
Sincerely,
Quentin Ricard.
Hi All,
I run tcpdump live to capture the traffic into a file using "-w".
Then I run bro to read that file offline using "-r".
Both instances are running continuously. First it works fine but then bro
stop generating results although it keep running, this means bro didn't
continue reading from the file. Is it because bro -r is faster than the
live capturing?
How to let bro keep reading the file (this file is continuously increasing)
My bro version: 2.3 running on ubuntu platform.
Thanks
--
A friend in need Is a friend indeed
Hi all,
as you known, Elasticsearch is unable to menage fields with a dot separator.
Until now I've used the Bro json output: the output logs were sent to
Elastich through Logstash; from Elasticsearch 2.0 this is not
possible.
Is there a way to substitute a dot with another character?
Thanks,
Vito
Dears
I want to use packet filtering framework supported by Bro. It filters based
on static IP address. But in my case, I want the filter to read IP address
from from a dynamic file (a file that is updated from another bro instance).
How to do that?
My bro version: 2.3 running on ubuntu platform.
Thanks in Advance
--
A friend in need Is a friend indeed
Hello everyone,
I was wondering if is it possible to make an analyzer of OSPF with Binpac.
The problem that I face is that OSPF is a layer 4 (there's no tcp or udp).
Can anyone give me a solution of my problem?
Thanks you,
Reda Sabir
Hello,
I have been experienced strange behavior of BRO file extraction .
Here you can see what is extracted in bro extract directory.
0 Dec 20 07:42 HTTP-FZyPZr1vrwJ5czHazj.swf
0 Dec 20 07:42 HTTP-FZyPZr1vrwJ5czHazj.swf.1
0 Dec 20 07:42 HTTP-FZyPZr1vrwJ5czHazj.swf.1.1
0 Dec 13 06:42 HTTP-FZyPZr1vrwJ5czHazj.swf.1.1.1
0 Dec 6 06:57 HTTP-FZyPZr1vrwJ5czHazj.swf.1.2
0 Dec 20 07:42 HTTP-FZyPZr1vrwJ5czHazj.swf.2
0 Dec 13 06:42 HTTP-FZyPZr1vrwJ5czHazj.swf.2.1
359 Dec 1 09:36 HTTP-FZyPZr1vrwJ5czHazj.swf.3
Where should I check for troubleshoot ?
I just expected to have one file extracted 359 Dec 1 09:36
HTTP-FZyPZr1vrwJ5czHazj.swf instead of those multiples with zero bytes.