Hi Everyone,
Looking at weird.log file recently showed a lot of weird notices logged for the bicpac exception: out_of_bound, specifically for SSLRecord.
Hence wanted to ask if these can be safely ignored, or if anything is broken and there are some serious issues with the traffic Bro is seeing. 
Here are some of the notices from weird.log:
2018-04-17T09:01:56-0400 CyVf0j1M4RughxzHt4 128.4.61.1 52113 64.15.123.22 443 binpac exception: out_of_bound: SSLRecord:rec: 48205 > 1350 - F worker-3-6
2018-04-17T09:01:56-0400 CyVf0j1M4RughxzHt4 128.4.61.1 52113 64.15.123.22 443 binpac exception: out_of_bound: SSLRecord:rec: 36586 > 1350 - F worker-3-6
2018-04-17T09:02:02-0400 CZlYI32EvsHn4OX81l 128.175.252.224 54493 64.15.123.22 443 binpac exception: out_of_bound: SSLRecord:rec: 17689 > 1350 - F worker-3-7
2018-04-17T09:02:02-0400 CZlYI32EvsHn4OX81l 128.175.252.224 54493 64.15.123.22 443 binpac exception: out_of_bound: SSLRecord:rec: 34801 > 1350 - F worker-3-7
2018-04-17T09:02:03-0400 Cxl308dWBQAhdAuvf 128.4.95.167 61457 64.15.123.23 443 binpac exception: out_of_bound: SSLRecord:rec: 63514 > 1350 - F worker-1-1
2018-04-17T09:02:03-0400 Cxl308dWBQAhdAuvf 128.4.95.167 61457 64.15.123.23 443 binpac exception: out_of_bound: SSLRecord:rec: 4143 > 1350 - F worker-1-1
2018-04-17T09:02:16-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54 65054 173.194.205.189 443 binpac exception: out_of_bound: SSLRecord:rec: 13126 > 1350 - F worker-2-19
2018-04-17T09:02:16-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54 65054 173.194.205.189 443 binpac exception: out_of_bound: SSLRecord:rec: 13126 > 1261 - F worker-2-19
2018-04-17T09:02:16-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54 65054 173.194.205.189 443 binpac exception: out_of_bound: SSLRecord:rec: 63719 > 41 - F worker-2-19
2018-04-17T09:02:16-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54 65054 173.194.205.189 443 binpac exception: out_of_bound: SSLRecord:rec: 17744 > 35 - F worker-2-19
2018-04-17T09:02:17-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54 65054 173.194.205.189 443 binpac exception: out_of_bound: SSLRecord:rec: 64155 > 38 - F worker-2-19
2018-04-17T09:02:17-0400 Cn3rHuB9LlM3YfTd1 128.4.62.54 65054 173.194.205.189 443 binpac exception: out_of_bound: SSLRecord:rec: 54546 > 41 - F worker-2-19
Appreciate any insights.
Thanks!
Fatema.
Hi Fatema,
the answer is that you should not see this happen very often. Let me check
if that is something that I can also observe in our local cluster - the
last time I checked things looked more or less normal.
Johanna
Hi Johanna,
Thanks for the response.
I was analyzing these more, and looked in the connection logs to see which these corresponds to.
And seeing UDP connections on 443 which are pretty long, and majority of dest IPs are Google Inc. owned with some king of video streaming service, I think YOUTUBE,
hence was thinking if these weird notices are corresponding to any DTLS traffic to those video streaming services provided by Google.
Also, to my notice, no SSL records got logged as well for these, which I assumed should have processed by SSL Analyzer. Hmm.
$ current/*.log | grep “C7lzD74mBAzB4usIHe”
1523972950.556723 C7lzD74mBAzB4usIHe 128.4.154.42 59835 64.15.123.22 443 udp - 983.275963 2555936 162005599 SF 417 165405275 (empty) worker-3-12
1523973692.538113 C7lzD74mBAzB4usIHe 128.4.154.42 59835 64.15.123.22 443 binpac exception: out_of_bound: SSLRecord:rec: 58376 > 1350
1523973693.501421 C7lzD74mBAzB4usIHe 128.4.154.42 59835 64.15.123.22 443 binpac exception: out_of_bound: SSLRecord:rec: 11466 > 1350
IP: 64.15.123.22, r7.sn-bvvbax-2iae.googlevideo.com , Autonomous_System-YOUTUBE
Thanks,
Fatema.
Oh - interesting, these are udp.
In that case I instantly feel much less bad about this. It is probably google experimenting with something. Let me still check if I see that too
Johanna
Looks like this is probably just QUIC (more here) traffic which is likely tightly intermixed with various Youtube (streaming,uploading,posting, etc.) application traffic via tcp/443 from the same IP.
-Drew
Cool. Thanks Drew.
Yeah, Johanna felt the same, and provided information on what it might be and could be ignored.
Fatema.
If you have a pcap and you bro-pkg you can install the basic QUIC analyzer and verify. (Or I can if you are comfortable sending a small sample).
-Dop
Thanks Mike. I captured a small pcap from the sensor, and analysed it with wireshark, which classified the traffic
as encrypted QUIC payload.
Unfortunately when ran with the Bro 2.5.1 install on the system in offline mode,
it didn’t generate those weird alerts, maybe because the traffic captured was for just couple of minutes.
Hence, Johanna and I concluded that Google might be experimenting with the UDP port 443 and it’s the cause of those alerts.
I haven’t tried the QUIC analyzer though, will try that next!
Thanks,
Fatema.