I'm having trouble understanding some log entries from my conn.log. I
already learned from this mailing list that bro cannot surely detect who
initiated a connection if it does not see the initial connection setup,
which seems logical to me.
But if I look to my conn.log file, I find entries like these:
1446190221.687738 Cbu3fj3FYdODxvLF1h 87.152.221.xxx 50993
192.168.100.yyy 36709 tcp ssl 122.745965 1238 5340
S1 F T 0 ShAD
ad 20 2050 19 6112 (empty)
1446190138.746769 CykNrp4VEfzbrJ2vm6 87.152.221.xxx 50993
192.168.100.yyy 36679 tcp ssl 223.406750 1384 18908
S1 F T 0 ShAD ad 39 2956 36
It looks like our IMAP server (87.152.221.xxx running on port 50993)
initiated a connection to my notebook (192.168.100.yyy). That should not
be possible due to lack of port forwarding for this connection.
So my first guess is that bro didn't see the initial connection setup
(midstream traffic, OTH state). But I took a look into the documentation
regarding the reported states (S1), which says:
S1 Connection established, not terminated.
This looks to me like bro saw the connection setup. Or did I get
something wrong here?
Oh and by the way: the next paragraph reads:
SF Normal establishment and termination. Note that this is the same
symbol as for state S1. You can tell the two apart because for S1 there
will not be any byte counts in the summary, while for SF there will be.
I don't understand this. Do S1 and SF really only differ in byte count
zero or non-zero? It seems to me that they also differ in "connection
still alive" and "connection was terminated".
Looking further trough the logs, I also find entries with "SF" flag in
whuch source and destination seem twisted:
1445338094.186121 C9uuKp4dE9nrHo46bd 87.152.220.xxx 50993
192.168.100.yyy 20108 tcp -462.348551 401 754 SF
F T 0 DdAfFa 13 921 12 1234 (empty)
Does anybody have a hint? Did I misunderstand something?
I'm running bro 2.4.1.
Thanks a lot!
My goal is to integrate a new protocol analyzer in Bro. This protocol
(PROFINET dyscovery and Basic Configuration Protocol) is working on layer
2. My question is, are there special considerations to get at the data of
the layer 2? My colleague has tried creating an analyzer by following your
instructions for coding an analyzer by binpac. Before he went on vacation,
he told me, he could access data with binpac of layer 3 but not of layer
2? Is that correct? If so does it work with the new binpac ++? Any pieces
of advice or suggestions how to get started would be greatly appreciated.
We are happy to announce that BroCon ’16 will occur on Tuesday, September 13th - Thursday, September 15th at the Texas Advanced Computing Center in Austin, Texas.
See our event page:
Early bird registration is open! CFP is open!
Interested in sponsoring BroCon? Contact us at info(a)bro.org for more information.
Thank you for your continued support, and see you in September!
The Bro Project
Bro Outreach Coordinator
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
I have Ubuntu installed as a host system with Debian running as the guest
system on qemu. I need to send created traffic from the host to an Apache
web server installed on the guest and monitor this traffic using bro which
is installed on the host.
What is the best way to make this connection? I would really appreciate if
you could provide me with a link or something on how to make the bridge. I
have tried several ways but haven't been successful yet!
Thank you so much in advance,
I have my sensor set up to email me notices with:
hook Notice::policy(n: Notice::Info)
If I understand correct this will email me upon any entry in the
notice.log. Is there a way to:
1. only get specific items emailed upon entry
2. get the rest of notice.log entries emailed with ACTON_ALARM in the
alarm-mail.txt and have that ignore anything that was previously emailed.
3. Only get one notice email per alert?
What I am doing is in the /opt/bro/share/bro/intel folder creating
different folders with IOS's I want the intel framework to look over and I
am using meta.do_notice to send the items of importance to the notice log.
Excuse my ignorance with this subject I am just now trying to get things
emailed out efficiently to reduce some noise and redundancy my analysts are
And on the heels of the NIC question, how about hardware experiences?
I'm looking at the PCIE2 NIC's at both Myricom and Netronome....any
recommends for the server hardware to wrap around these cards? The plan
is to have this machine monitor a corporate LAN...lot's of traffic.
Guessing the team will want to go Dell if that helps. Thanks for the
I would like to know if it is possible to split the generated header/cpp
files (header files more important) into multiple files. For example, I
would like to have a separate generated header file for the record types
so that I can include it in a separate project.
I’m trying to debug some packet drops that I’m experiencing and am turning to the list for help. The recorded packet loss is ~50 – 70% at times. The packet loss is recorded in broctl’s netstats as well as in the notice.log file.
Running netstats at startup – I’m dropping more than I’m receiving from the very start.
[BroControl] > netstats
worker-1-1: 1452200459.635155 recvd=734100 dropped=1689718 link=2424079
worker-1-10: 1452200451.830143 recvd=718461 dropped=1414234 link=718461
worker-1-11: 1452200460.036766 recvd=481010 dropped=2019289 link=2500560
worker-1-12: 1452200460.239585 recvd=720895 dropped=1805574 link=2526730
worker-1-13: 1452200460.440611 recvd=753365 dropped=1800827 link=2554453
worker-1-14: 1452200460.647368 recvd=784145 dropped=1800831 link=2585237
worker-1-15: 1452200460.844842 recvd=750921 dropped=1868186 link=2619368
worker-1-16: 1452200461.049237 recvd=742718 dropped=1908528 link=2651507
- 64 AMD Opteron System
- 128gb of RAM
- Intel 10gb IXGBE interface (dual 10gb interfaces, eth3 is the sniffer)
- Licensed copy of PF_Ring ZC
I’m running Bro 2.4.1, PF_Ring 6.2.0 on Centos / 2.6.32-411 kernel
I have the proxy, manager & 16 workers running on the same system. 16 CPUs are pinned (0-15)
Startup scripts to load the various kernel modules (from PF_RING 6.2.0 src)
insmod /lib/modules/2.6.32-431.11.2.el6.x86_64/kernel/net/pf_ring/pf_ring.ko enable_tx_capture=0 min_num_slots=32768 quick_mode=1
insmod /lib/modules/2.6.32-431.11.2.el6.x86_64/kernel/drivers/net/ixgbe/ixgbe.ko numa_cpu_affinity=0,0 MQ=0,1 RSS=0,0
I checked /proc/sys/pci/devices to confirm that the interface is running on numa_node 0. ‘lscpu’ shows that cpus 0-7 are one node 0, socket 0, and cpus 8-15 are on node 1, socket 0. I figured having the 16 RSS queues on the same socket is probably better than having them bounce around.
I’ve disabled a bunch of the ixgbe offloading stuff:
ethtool -K eth3 rx off
ethtool -K eth3 tx off
ethtool -K eth3 sg off
ethtool -K eth3 tso off
ethtool -K eth3 gso off
ethtool -K eth3 gro off
ethtool -K eth3 lro off
ethtool -K eth3 rxvlan off
ethtool -K eth3 txvlan off
ethtool -K eth3 ntuple off
ethtool -K eth3 rxhash off
ethtool -K eth3 rx 32768
I’ve also tuned the stack, per recommendations from SANS:
net.ipv4.tcp_timestamps = 0
net.ipv4.tcp_sack = 0
net.ipv4.tcp_rmem = 10000000 10000000 10000000
net.ipv4.tcp_wmem = 10000000 10000000 10000000
net.ipv4.tcp_mem = 10000000 10000000 10000000
net.core.rmem_max = 134217728
net.core.wmem_max = 134217728
net.core.netdev_max_backlog = 250000
The node.cfg looks like this:
I have a license for ZC, and if I change the interface from eth3 to zc:eth3, it will spawn up 16 workers, but only one of them is receiving any traffic. I’m assuming that it is looking at zc:eth3@0 only. Netstats proves that out. If I run pfcount –I zc@eth3, it will show me that I’m receiving ~1gbp/s of traffic on the interface and not dropping anything.
Am I missing something obvious? I saw many threads about disabling hyper threading, but that seems specific to intel processors – I’m running AMD operterons with their own hyper transport stuff which doesn’t create virtual cpus.
Running SecurityOnion and trying to implement Criticial Stack with
Bro, server running 24GB RAM the system becomes unresponsive in 30
seconds. All memory and swap is utilized by then. Any documentation
that show sizing of Bro and Critical Stack?
If I remove criticalstack from local.bro, it's back to normal.