Hello,
I am pretty new user of BRO and use it as a part of the Security Onion distributions. I currently came across a problem which I was hoping one of you might be able to help with.
When looking at some telnet connections on a non-standard TCP port I noticed that some data flows are reported in the wrong direction. When checked the conn.log files, all the entries in question had the same characteristics below:
-
They would only appear in the archive (gzip) conn.*.log.zip files - not the current conn.log file.
-
Entries would always be at the beginning of the zipped conn.*.log.zip file
-
Conn_State field would say RSTR 4. History field would be DaFr (on most of them)
Below are some examples, as you can see the file name reflects from/to date/time, and the characteristics of the entries in question where flow direction is reversed are below:
zcat conn.16:27:17-17:00:00.log.gz | bro-cut -d ts proto conn_state history | grep RSTR
2013-10-25T16:27:12+0000 tcp RSTR DaFr
2013-10-25T16:27:12+0000 tcp RSTR DaFr
2013-10-25T16:27:12+0000 tcp RSTR DaFr
zcat conn.18:36:28-19:00:00.log.gz | bro-cut -d ts proto conn_state history | grep RSTR
2013-10-25T18:36:23+0000 tcp RSTR DaFr
2013-10-25T18:36:23+0000 tcp RSTR DaFr
2013-10-25T18:36:23+0000 tcp RSTR DaFr
zcat conn.18:36:28-19:00:00.log.gz | bro-cut -d ts proto conn_state history | grep RSTR
2013-10-25T18:36:23+0000 tcp RSTR DaFr
2013-10-25T18:36:23+0000 tcp RSTR DaFr
2013-10-25T18:36:23+0000 tcp RSTR DaFr
It almost seems that when conn.log file is being divided up and zipped this happens.
Just to give some context, we have a script running which telnets to multiple devices and polls certain variables and exits on a non-standard telnet ports.
Thanks,
Konrad