Bro conn.log reports incorrect (very large) orig_bytes and/or resp_bytes values

Description

We run Bro to monitor connections on one of our external networks. Frequently Bro reports a large byte count (order of GBs) for some connections. However, that count cannot be corroborated with other monitoring systems such as netflow and argus.
After another such report, we managed to segregate the session in question and ran Bro and Argus offline on the same PCAP. Bro again reports a 1.8GB byte upload (in only 2 packets). The output of bro-conn.log is

$ cat conn.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2018-08-30-12-22-20
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytestunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1535561692.036735 C4XfWT37ozaYI9mWWe 10.1.1.226 18555 10.1.2.140 443 tcp ssl 0.585940 1111 5116SF 0 ShADadfTF 12 1604 13 5660 (empty)
1535561698.678714 CFmnkc46HZK0Ookc15 10.1.1.226 18555 10.1.2.140 443 tcp ssl 0.576049 1106 21560SF 0 ShADadfF 17 1798 31 22812 (empty)
1535561699.296562 CNTmYXnN8KQrrvRWj 10.1.1.226 18555 10.1.2.140 443 tcp ssl 0.348107 1037 8704SF 0 ShADadfFR 13 1569 17 9396 (empty)
1535561699.732748 CeRFfC1aaGOE8Ap9E8 10.1.1.226 18555 10.1.2.140 443 tcp ssl 0.409863 1074 1029SF 0 ShADadfF 11 1526 10 1441 (empty)
1535561700.170677 CGOUZ92OVjSX6wuzpe 10.1.1.226 18555 10.1.2.140 443 tcp 0.000255 0 0 S1 - 0 Sh 1 52 1 52 (empty)
1535561700.230771 CEx5AY1IaVAxDeF8gk 10.1.1.226 18555 10.1.2.140 443 tcp 1.477856 1987483795 0RSTO - 0 ShR 2 92 1 52 (empty)
1535561701.948560 Cv0DNg2q320XvG6k8 10.1.1.226 18555 10.1.2.140 443 tcp ssl 0.449171 1059 2878SF 0 ShADadfF 9 1431 10 3290 (empty)
1535561702.417811 CxR8IQZ4Jit1ItZed 10.1.1.226 18555 10.1.2.140 443 tcp ssl 3.178346 1067 891 SF 0 ShADadfF 10 1491 8 1223 (empty)
1535561724.744463 CSJqe51OEos7AM1FTe 10.1.1.226 18555 10.1.2.140 443 tcp 219.072484 0 0 SF - 0 ShAfaDF 7 293 4 184 (empty)
1535561972.879896 CP0t0q4GZ9BJvWsfz2 10.1.1.226 18555 10.1.2.140 443 tcp OTH – 0 D 1 41 0 0 (empty)
#close 2018-08-30-12-22-20

The bold line shows the anomalous connection

Argus report for the same is

$ argus -r susp_anon.pcap -w susp_anon.argus
$ ra -s +1dur +tcprtt -r susp_anon.argus
StartTime Dur Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State TcpRtt
16:54:52.036735 0.586169 e s tcp 10.1.1.226.18555 -> 10.1.2.140.https 25 7685 FIN 0.028549
16:54:58.678714 1.054034 e s tcp 10.1.1.226.18555 -> 10.1.2.140.https 78 36907 RST 0.028549
16:54:59.732748 2.215812 e tcp 10.1.1.226.18555 -> 10.1.2.140.https 26 3663 RST 0.028650
16:55:01.948560 3.647850 e s tcp 10.1.1.226.18555 -> 10.1.2.140.https 37 8067 FIN 0.028263
16:55:24.744463 1.364429 e tcp 10.1.1.226.18555 -> 10.1.2.140.https 5 318 FIN 0.028263
16:55:46.129686 1.680593 e tcp 10.1.1.226.18555 -> 10.1.2.140.https 4 240 FIN 0.028263
16:58:47.390354 0.000000 e s tcp 10.1.1.226.18555 -> 10.1.2.140.https 1 60 FIN 0.028263
16:59:03.816947 0.000000 e tcp 10.1.1.226.18555 -> 10.1.2.140.https 1 60 FIN 0.028263
16:59:32.879896 0.000000 e s tcp 10.1.1.226.18555 -> 10.1.2.140.https 1 60 FIN 0.028263

I am attaching the anonymized PCAP with this issue for reference.

Environment

OS-Scientific Linux 7 64-bit
Bro Version - 2.5.4

Status

Assignee

Unassigned

Reporter

Dheeraj Gupta

Labels

External issue ID

None

Components

Affects versions

2.5.4
2.3
2.4

Priority

Normal
Configure