Connection summaries w/ IPv6 have poor readabiity

Description

The variable length of IPv6 and being mixed with IPv4 causes alignment issues with the white space in the connection summary emails.

Environment

None

Activity

Show:
Adam Slagell
April 25, 2016, 9:56 PM
Edited

I also noticed an error.

The port column is really a port or ICMP code. The correct fix is probably to change the behavior of the python script to not count a port number for ICMP as those aren't ports. Here is an example. "port" 135 and 136 are ICMP codes in this summary.

{{

  • Connections 909.0 - Payload 859.5k -
    Ports | Sources | Destinations | Services | Protocols | States |
    136 55.9% | fe80::201:5cff:fe63:1846#1 55.4% | ff02::fb#2 40.7% | - 59.3% | 1 57.5% | OTH 57.5% |
    5353 40.7% | fe80::f299:bfff:fe00:4bd0#3 42.8% | ff02::1:ff02:7503#4 7.6% | dns 40.7% | 17 42.5% | S0 42.1% |
    500 1.8% | fd1e:715a:47a1:67c5:d5f:b0cd:b68f:ac6c#5 1.7% | ff02::1:ff02:e0e3#6 6.6% | | | SF 0.3% |
    135 1.7% | fd1e:715a:47a1:67c5:756e:dc63:f20d:4c92#7 0.1% | ff02::1:ff89:dce0#8 2.5% | | | |

 

fe80::201:5cff:fe63:1846#9 2.1%

 

 

 

 

 

2001:558:6033:197:211c:1c06:2d22:5a23#10 2.0%

 

 

 

 

 

fe80::f299:bfff:fe00:4bd0#11 1.9%

 

 

 

 

 

ff02::1:ff22:157f#12 1.8%

 

 

 

 

 

fd1e:715a:47a1:67c5:51aa:889:3ca8:e4bf#13 1.8%

 

 

 

 

 

ff02::1:ff9c:2584#14 1.0%

 

 

 

}}

Adam Slagell
April 26, 2016, 1:06 PM

Talking with Seth, he agrees that it probably just makes more sense to leave ICMP out of the connection summaries.

Adam Slagell
April 26, 2016, 2:11 PM

Or don’t count it in the port statistics, but still count it in the protocol stats. So you would see a ton of protocol #1

But I think I like your suggestion better because it separates things like 53/tcp and 53/udp.

On Apr 26, 2016, at 9:04 AM, Vlad Grigorescu <vlad@grigorescu.org<vlad@grigorescu.org>> wrote:

I'm not sure I agree without additional context. ICMP exfil is a known technique. Wouldn't you want to know if all of a sudden, you started seeing gigs of ICMP? Or is there some other limitation that would make detecting this problematic?

What I would recommend instead is simply adding the protocols to the ports. So, instead of "top ports: 53, 80, 443, 8" you would see: "top ports: 53/udp, 80/tcp, 443/tcp, 8/icmp"

Would this be sufficient to solve the ICMP/port number confusion?

On Tue, Apr 26, 2016 at 8:07 AM, Adam Slagell (JIRA) <jira@bro-tracker.atlassian.net<jira@bro-tracker.atlassian.net>> wrote:

https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25900#comment-25900<https://urldefense.proofpoint.com/v2/url?u=https-3A__bro-2Dtracker.atlassian.net_browse_BIT-2D1571-3Fpage-3Dcom.atlassian.jira.plugin.system.issuetabpanels-3Acomment-2Dtabpanel-26focusedCommentId-3D25900-23comment-2D25900&d=CwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=gMEsgy9kNQo7aTfyIJsOSuw4Z57hfQyz6uV2H4S9PvE&m=beorgX6UQRKd6PT0TlIH2AguYVgqol2BXwnYJL7xcTg&s=ayfCl68oBOLFmdONWN8cXNOKCfvTHTccw8hr3HkQUmE&e=>

Adam Slagell commented on BIT-1571:
-----------------------------------

Talking with Seth, he agrees that it probably just makes more sense to leave ICMP out of the connection summaries.


This message was sent by Atlassian JIRA
(v1000.5.0#72002)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org<bro-dev@bro.org>
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev<https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.icsi.berkeley.edu_mailman_listinfo_bro-2Ddev&d=CwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=gMEsgy9kNQo7aTfyIJsOSuw4Z57hfQyz6uV2H4S9PvE&m=beorgX6UQRKd6PT0TlIH2AguYVgqol2BXwnYJL7xcTg&s=4IUiD_rshKiWgExIpRf1sV9VOAU5kKwazUEsgKMM9SY&e=>

_______________________________________________
bro-dev mailing list
bro-dev@bro.org<bro-dev@bro.org>
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

------

Adam J. Slagell
Chief Information Security Officer
Director, Cybersecurity Division
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
www.slagell.info<http://www.slagell.info>

"Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure."

Daniel Thayer
April 28, 2016, 6:49 PM

Branch "topic/dnthayer/ticket1571" in the trace-summary git repo contains the fix for this
issue. Now trace-summary just increases the column width as needed when it sees
a longer IP address.

Assignee

Unassigned

Reporter

Adam Slagell

Labels

None

External issue ID

None

Components

Fix versions

Affects versions

Priority

Low
Configure