Dear all,
Seems that Bro classifies connections into a number of states in its “connection summaries” log files. States such SF, REJ, etc. upon which it then classifies the connection into one of the three states “good”, "bad’ or “unkown”. I was wondering if one could give me a direct pointer to a reference in which these states are discussed thoroughly.
Regards
L. Arshadi
I too would be interested in knowing.
Thanks
Ron Jenkins (SnortCP,VCP 3 / 4,MCNE,MCPS,MCNPS,CCNA)
RMJ Consulting, LLC.
“Bringing Companies and Solutions Together”
Owner / Senior Architect
Physical Address
11715 Bricksome Ave STE B-7
Baton Rouge, LA 70816
Mail Address
7575 Jefferson Hwy #103
Baton Rouge, LA 70806
Toll. 855-448-5214
Direct. 225-448-5214
Fax. 225-448-5324
Cell. 225-931-1632
Email. rjenkins@rmjconsulting.net
Web. http://www.rmjconsulting.nethttp://www.rmjconsulting.net/
http://www.linkedin.com/in/ronmjenkins
FYI
I found the below link.
Thanks
http://www.icir.org/robin/rwth/bro-tour.pdf
Ron Jenkins (SnortCP, VCP (3/4), MCNE, CNE6, MCP,CCNA)
RMJ Consulting, LLC. “Bringing Companies and Solutions Together”
Makers of Active Response System(ARS) & Log Siphon
Owner / Senior Architect
Physical Address
11715 Bricksome Ave STE B-7
Baton Rouge, LA 70816
Mail Address
7575 Jefferson Hwy #103
Baton Rouge, LA 70806
Toll: 855-448-5214
Direct. 225-448-5214
Fax. 225-448-5324
Cell. 225-931-1632
Email. rjenkins@rmjconsulting.net
Web. http://www.rmjconsulting.net
Log Siphon. http://www.logsiphon.com
Linkedin. http://www.linkedin.com/profile/view?id=28564151&trk=tab_pro
Wow, a 17 line sig for a 2 line e-mail. That might be a new record.
--Vlad
Hi Ron
Thanks for the link but unfortunately it does not contain all the information I am looking for.
L. Arshadi
FYI
I found the below link.
Thanks
http://www.icir.org/robin/rwth/bro-tour.pdf
Ron Jenkins (SnortCP, VCP (3/4), MCNE, CNE6, MCP,CCNA)
Dear all,
Seems that Bro classifies connections into a number of states in its “connection summaries” log files. States such SF, REJ, etc. upon which it then classifies the connection into one of the three states “good”, "bad’ or “unkown”. I was wondering if one could give me a direct pointer to a reference in which these states are discussed thoroughly.
Regards
L. Arshadi
I suspect the link from Alex answered your question, but to go a little further than the rote documentation I'd like to point out that what that field really represents is how Bro chose to perceive the connection. Since Bro is a third party passive observer it can't always perfectly understand the conversation for various reasons like packet loss, missing packets due to asynchronous routing, or peculiar host semantics that Bro doesn't understand.
Check out the history field too if you want a little more information about what Bro actually saw on the wire. It's documented on the same page:
http://www.bro.org/sphinx-git/scripts/base/protocols/conn/main.html
.Seth
Hi
Thank you both Alex and Seth for the link and the explanation. I got the taste of the connection states, now I am looking for the policies upon which Bro decides that a connection is “good”, "bad’ or “unkown”. Is anything stated in the documents in this regard?
Regards
Laleh
Hm, your question is a little broad. 
.Seth
OK… to be more precise, how can I decide which connection is suspicious to be a TCP scanning attempt?
That's mostly going to depend on what you consider a TCP scan attempt. This is such a hard problem and could be slightly different in everyone's context.
Anyway, I would recommend taking a look at the scan.bro that is in our master repository. It's a new script that is coming out with the upcoming 2.2 release and it works pretty well, if you read and understand that script it should answer your question though.
.Seth