long SSH connection in conn.log

Dear list,

I started an SSH connection in my LAN on 3:32pm which lasted until 07:04pm - so we're talking about an SSH session lasting 3 1/2 hours.

In my conn.log files, I find this single SSH connection as 5 connections:

1) conn_state S1, service ssh
2-4) conn_state OTH, service -
5) conn_state SF, service -

Bro was started before the SSH connection was initiated, so I'd expect a single conn.log entry to be written when I disconnect. Or did I get something wrong here?

Thanks!
Sven

Hello Sven,

you are probably running into internal Bro timeouts here. Generally, since
Bro can only use limited amounts of RAM, Bro automatically times out
connections after it does not see any activity (exchanged packets) for a
specified period of time. For TCP, this is generally 5 minutes, defined in
tcp_inactivity_timeout.

Since interactive protocols tend to have longer periods of time where we
might not see any exchanged connections, Bro has special settings for them
- in base/protocols/conn/inactivity.bro the timeout for identified SSH
sessions is set to 1 hour. However, if your session does not exchange any
packets for more than one hour, Bro will assume that it has been closed
and just not seen the packets closing the connection. Everything following
will be regarded as a new connection - and in your case fall under the
default 5 minute timeout since it cannot reliably be identified as SSH.

This is a generic problem - you have to just assume that connections are
terminated after you did not see any exchanged data for a specified period
of time. In case the current Bro settings do not work for you, you can
redef them.

I hope that helps,
Johanna

Hi Johanna,