Gigamon issues

Zeek
1

Hello,

I’m trying to extract files from traffic coming from a Gigamon box doing SSL decryption, but Bro doesn’t seem to like or able to comprehend the data. I get the following entries in my weird.log file, does anyone have a Gigamon they are able to do this with or any ideas what the logs seem to indicate?

Thanks,

Carl

#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2018-06-04-11-37-09
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1528122717.528452 Cqshm33SbZlmFKbUn2 10.1.10.122 52544 134.213.72.175 80 SYN_seq_jump - F bro
1528122720.752922 Cqshm33SbZlmFKbUn2 10.1.10.122 52544 134.213.72.175 80 window_recision - F bro
1528122782.018423 Ccnbkv2S8zjS0Znc35 10.1.10.122 52545 134.213.72.175 80 SYN_seq_jump - F bro
1528122782.018433 Ccnbkv2S8zjS0Znc35 10.1.10.122 52545 134.213.72.175 80 TCP_ack_underflow_or_misorder - bro
1528122782.237519 Ccnbkv2S8zjS0Znc35 10.1.10.122 52545 134.213.72.175 80 TCP_seq_underflow_or_misorder - bro
1528122805.509482 Cd5o3I37LutpcsMP8a 10.1.10.122 52546 134.213.72.175 80 SYN_seq_jump - F bro
1528122808.723988 Cd5o3I37LutpcsMP8a 10.1.10.122 52546 134.213.72.175 80 window_recision - F bro
#close 2018-06-04-11-37-09

2

I thought Gigamon could only decrypt based on private keys it knew
about (not full SSL decryption of all traffic).

Is that how you are capturing this traffic?

3

It installs a common and trusted by the browser SSL cert and acts as a man in the middle, decrypting and re-encrypting to the destination.

4

Here is a link to the captures that I’m having trouble getting Bro to extract,

https://www.dropbox.com/s/suebc590a5yb2ym/caps.zip?dl=0

Wireshark and Suricata are able to retrieve the files, so I’m stymied.

5

There’s lots of missing data in these captures. Are you doing something other than decryption with these packets before Bro gets its hands on them?

cat conn.log | bro-cut missed_bytes | grep -v 0

1871523195

784491773

14915895983

97421147

6

To answer your question, no, I’m not doing anything with the traffic. The data comes directly from the Gigamon to the Bro box. I think the first capture is cleaner. When I run it against Suricata I get:

[root@localhost files]# ls -la
total 14916
drwxr-xr-x. 2 root root 204 Jun 4 19:58 .
drwxr-xr-x. 4 root root 139 Jun 4 12:53 …
-rw-r–r–. 1 root root 7401713 Jun 7 10:55 file.1
-rw-r–r–. 1 root root 888 Jun 7 10:55 file.1.meta
-rw-r–r–. 1 root root 1154140 Jun 7 10:55 file.2
-rw-r–r–. 1 root root 884 Jun 7 10:55 file.2.meta
-rw-r–r–. 1 root root 3897161 Jun 7 10:55 file.3
-rw-r–r–. 1 root root 906 Jun 7 10:55 file.3.meta
-rw-r–r–. 1 root root 129 Jun 5 10:34 file.4
-rw-r–r–. 1 root root 651 Jun 5 10:34 file.4.meta
-rw-r–r–. 1 root root 313584 Jun 5 10:34 file.5
-rw-r–r–. 1 root root 789 Jun 5 10:34 file.5.meta
-rw-r–r–. 1 root root 313584 Jun 5 10:34 file.6
-rw-r–r–. 1 root root 790 Jun 5 10:34 file.6.meta
[root@localhost files]# suricata -v -r ~/04jun2018_01.cap

and no files identify from Bro

cat conn.log | /usr/local/bro/bin/bro-cut missed_bytes | grep -v 0 is clean.