Open issues

Bro conn.log reports incorrect (very large) orig_bytes and/or resp_bytes values
BIT-1979
Convert redef-able consts to runtime options
BIT-1963
merge topic/vern/perf-history
BIT-1956
New default parameters should be inherited by event functions
BIT-1923
Link to latest version on download archive
BIT-1910
Add ability to choose copytruncate log rotation in ASCII writer
BIT-1906
One-way connection status gets lost outside of NetSessions::DoNextPacket()
BIT-1901
Enable bro-cut to read JSON logs
BIT-1896
BroControl install/deploy doesn't preserve setcap
BIT-1895
Detection of vector indexing errors / remove arbitrary vector resizing
BIT-1891
iosource::pktsrc::Stats doesn't support a notion of number of filtered packets
BIT-1886
Allow multiple log extensions.
BIT-1870
Bro Error when using IPv6 DNS server
BIT-1827
Raw reader always throws Error on non-zero return code
BIT-1825
Need event Cluster::fully_initialized
BIT-1814
pcap plugin pcap_set_timeout issue?
BIT-1797
Non-linear timestamps from packet source causes problems
BIT-1796
Issue with events serialization containing tables
BIT-1794
bro port bound to INADDR_ANY/IN6ADDR_ANY
BIT-1792
Bloomfilter should error out or notify if its saturated
BIT-1771
binPAC : segfault in "let var : int8" when no initialisation value
BIT-1756
Log attempted SMTP connections
BIT-1746
Add offset for protosig payload
BIT-1741
Add UID to Port_Scan in notice.log
BIT-1739
Option to log append in ascii writer
BIT-1718
Feature Request: Payload data per port in reports
BIT-1712
History field extension for gaps
BIT-1692
Hook 'break' statement can cause confusion when Hooks contain loops
BIT-1647
Update Bro Load-Balancing Documentation for PF_RING ZC
BIT-1642
Documentation warning when more than one plugin is installed
BIT-1638
Getting bytestring length from other structure leads to infinite loop in some cases.
BIT-1632
302 Redirects
BIT-1624
Updated NTP Analyzer
BIT-1605
BinPAC segfaults on circular record dependencies
BIT-1596
Crash in SocketComm::Run - RemoteSerializer.cc:3493
BIT-1541
Connection logging for ESP
BIT-1444
Logrotation cannot be set when using path_func
BIT-1441
Loss of information due to analyzer capitalization changes
BIT-1431
Customizable email subject lines
BIT-1428
Add power of 2 test to file(s) 'cq.c/cq.h' (revises BIT-1423)
BIT-1424
HTTPProxyFound notice has gone away
BIT-1419
SSH::Login_By_Password_Guesser is not implemented
BIT-1418
FTP_UnexpectedConn notice has gone away
BIT-1417
Documentation/control of Jira markup shortcuts?
BIT-1412
SQL_Injection_Victim is a misleading name
BIT-1411
DNS ZoneTransfer notice missing
BIT-1409
Trouble locating -b documentation
BIT-1406
PPPoE PCAP stripping laters
BIT-1398
Broker's integration in Bro's main/run loop
BIT-1388
Pcap with unusual packet ordering doesn't reassemble
BIT-1358
issue 1 of 120

Bro conn.log reports incorrect (very large) orig_bytes and/or resp_bytes values

Description

We run Bro to monitor connections on one of our external networks. Frequently Bro reports a large byte count (order of GBs) for some connections. However, that count cannot be corroborated with other monitoring systems such as netflow and argus.
After another such report, we managed to segregate the session in question and ran Bro and Argus offline on the same PCAP. Bro again reports a 1.8GB byte upload (in only 2 packets). The output of bro-conn.log is

$ cat conn.log
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2018-08-30-12-22-20
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig local_resp missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytestunnel_parents
#types time string addr port addr port enum string interval count count string bool bool count string count count count count set[string]
1535561692.036735 C4XfWT37ozaYI9mWWe 10.1.1.226 18555 10.1.2.140 443 tcp ssl 0.585940 1111 5116SF 0 ShADadfTF 12 1604 13 5660 (empty)
1535561698.678714 CFmnkc46HZK0Ookc15 10.1.1.226 18555 10.1.2.140 443 tcp ssl 0.576049 1106 21560SF 0 ShADadfF 17 1798 31 22812 (empty)
1535561699.296562 CNTmYXnN8KQrrvRWj 10.1.1.226 18555 10.1.2.140 443 tcp ssl 0.348107 1037 8704SF 0 ShADadfFR 13 1569 17 9396 (empty)
1535561699.732748 CeRFfC1aaGOE8Ap9E8 10.1.1.226 18555 10.1.2.140 443 tcp ssl 0.409863 1074 1029SF 0 ShADadfF 11 1526 10 1441 (empty)
1535561700.170677 CGOUZ92OVjSX6wuzpe 10.1.1.226 18555 10.1.2.140 443 tcp 0.000255 0 0 S1 - 0 Sh 1 52 1 52 (empty)
1535561700.230771 CEx5AY1IaVAxDeF8gk 10.1.1.226 18555 10.1.2.140 443 tcp 1.477856 1987483795 0RSTO - 0 ShR 2 92 1 52 (empty)
1535561701.948560 Cv0DNg2q320XvG6k8 10.1.1.226 18555 10.1.2.140 443 tcp ssl 0.449171 1059 2878SF 0 ShADadfF 9 1431 10 3290 (empty)
1535561702.417811 CxR8IQZ4Jit1ItZed 10.1.1.226 18555 10.1.2.140 443 tcp ssl 3.178346 1067 891 SF 0 ShADadfF 10 1491 8 1223 (empty)
1535561724.744463 CSJqe51OEos7AM1FTe 10.1.1.226 18555 10.1.2.140 443 tcp 219.072484 0 0 SF - 0 ShAfaDF 7 293 4 184 (empty)
1535561972.879896 CP0t0q4GZ9BJvWsfz2 10.1.1.226 18555 10.1.2.140 443 tcp OTH – 0 D 1 41 0 0 (empty)
#close 2018-08-30-12-22-20

The bold line shows the anomalous connection

Argus report for the same is

$ argus -r susp_anon.pcap -w susp_anon.argus
$ ra -s +1dur +tcprtt -r susp_anon.argus
StartTime Dur Flgs Proto SrcAddr Sport Dir DstAddr Dport TotPkts TotBytes State TcpRtt
16:54:52.036735 0.586169 e s tcp 10.1.1.226.18555 -> 10.1.2.140.https 25 7685 FIN 0.028549
16:54:58.678714 1.054034 e s tcp 10.1.1.226.18555 -> 10.1.2.140.https 78 36907 RST 0.028549
16:54:59.732748 2.215812 e tcp 10.1.1.226.18555 -> 10.1.2.140.https 26 3663 RST 0.028650
16:55:01.948560 3.647850 e s tcp 10.1.1.226.18555 -> 10.1.2.140.https 37 8067 FIN 0.028263
16:55:24.744463 1.364429 e tcp 10.1.1.226.18555 -> 10.1.2.140.https 5 318 FIN 0.028263
16:55:46.129686 1.680593 e tcp 10.1.1.226.18555 -> 10.1.2.140.https 4 240 FIN 0.028263
16:58:47.390354 0.000000 e s tcp 10.1.1.226.18555 -> 10.1.2.140.https 1 60 FIN 0.028263
16:59:03.816947 0.000000 e tcp 10.1.1.226.18555 -> 10.1.2.140.https 1 60 FIN 0.028263
16:59:32.879896 0.000000 e s tcp 10.1.1.226.18555 -> 10.1.2.140.https 1 60 FIN 0.028263

I am attaching the anonymized PCAP with this issue for reference.

Environment

OS-Scientific Linux 7 64-bit
Bro Version - 2.5.4

Assignee

Unassigned

Reporter

Dheeraj Gupta

Labels

External issue ID

None

Components

Affects versions

Priority

Normal
Configure