Hey all,
Just had a recent case where we started to see in the bro conn logs traffic originating from src port 389 for some of the systems,
and I scratching my head thinking why would the ldap server initiate the UDP “connection” (I know that’s not a correct term to use here),
looking more into the logs, realized that, it is actually the response from the server, that Bro is logging in a complete new connection, for example:
1500927487.398576 CLr9ebnHeAYNOGzei 24.132.204.62 41600 128.175.235.216 389 udp - 93.677712 39999 0 S0 F T 0 D 597 56715 0 0 (empty)1500927487.404591 CapBfs1lhI2XFt4gJb 128.175.235.216 389 24.132.204.62 41600 udp - 93.672242 1773687 0 S0 T F 0 D 597 1790403 0 0 (empty)
Here, in the above case, shouldn’t Bro be logging only a single connection with src: 24.132.204.62 and dest: 128.175.235.216, with History ‘Dd’ ? or I might be missing
something important here 
Thanks,
Fatema.
Hi Fatema, I don't see a reply to this message in the mailing list so
I'll give it a shot...
fatema bannatwala wrote:
1500927487.398576 CLr9ebnHeAYNOGzei 24.132.204.62 41600
128.175.235.216 389 udp - 93.677712 39999 0 S0 F T 0
D 597 56715 0 0 (empty)
1500927487.404591 CapBfs1lhI2XFt4gJb 128.175.235.216 389
24.132.204.62 41600 udp - 93.672242 1773687 0 S0 T F
0 D 597 1790403 0 0 (empty)
Here, in the above case, shouldn't Bro be logging only a single
connection with src: 24.132.204.62 and dest: 128.175.235.216, with
History 'Dd' ? or I might be missing
something important here 
Your traffic isn't being load balanced correctly. You have one worker
receiving one flow of the connection and another worker receiving the
other flow of the connection. You can tell because of the two different
"connections" that have the 4-tuple of ports and ip addresses and you
picked up on the "D" instead of "Dd". That just means that traffic was
only seen from the originator which we would expect with mismatched load
balancing.
Are you seeing this sort of behavior with other connections or just this
one single odd-ball connection?
.Seth