Node: Examine HTTP FTP or SMTP Sessions, Next: Examine the Connection and Weird Logs, Previous: Understand the Intent of the Alarm(s), Up: Analysis of Incidents and Alarms
These three files record session activity on ports 80(http), 21(ftp), and 25(smtp) respectively. If the alarm involves any of these ports, these files may reveal the details of the sessions. The general format of all three files is: date/time<SP>%sessionnumber<SP>Message where:
is the time in UNIX epoch time. The cf
utility can be used to convert this time to readable time. Reference Tech Manual
is the number assigned to session. All subsequent records in the file that are part of the session will retain this same session number. Session numbers are prefixed with the %
sign.
is the message that Bro policy has formed to describe the session event. Typically the message will be:In an alarm where the session number is given (typically in a SensitiveSignature alarm), a search on the session number in the appropriate file(s) will show the full sessons. See The bro/logs Directory.
- the start of the session, including the two ip addresses involved
- an anomolous event
- the full protocol command line that was sent
- short statistics concerning the transaction (e.g. bytes sent)
Alarm: HTTP_SensitiveURI 11/22_12.52.42 128.333.48.179 -> 80.143.378.186 3091/tcp -> 80/tcp session: %73280 payload: GET\/NR/rdonlyres/eirownz4tqwlseoggqm2ahj5cqsdbedlaxyye 7kvdz7rnh6u4o2v2gpvmoggqjlekzdtulryyatiinj3xwimmiavgfb/ smallshoulders.gif\ (200\ "OK"\ [1134])From the payload shown, it is unclear what triggered the alarm. To investigate further, the entire session can be viewed: Example:
> grep %73280 http.hostname.04-11-22_12.52.42 | cf Nov 22 15:18:30 %73280 start 128.333.48.179 > 80.143.378.186 Nov 22 15:18:30 %73280 GET /fitness/default.htm (200 "OK" [10473]) Nov 22 15:18:30 %73280 GET /javascripts/cms_common.js (304 "Not Modified"[0]) Nov 22 15:19:47 %73280 GET /food_nutrition/default.htm (200 "OK"[13177]) Nov 22 15:19:47 %73280 GET/NR/rdonlyres/eirwwu3xtlr22dkat5cim4ziupouzxb6kz4xb zbr4zs255ca57cvv5mhcjcrmrfg6kpcrevyndo2za3yoi5esheiolf/News111904Dairy NotFor Diet.jpg (200 "OK" [6572]) Nov 22 15:19:51 %73280 GET /NR/rdonlyres/0D25692F-D59A-4B90-AB53-8BBC9E75A286. gif (200 "OK" [189]) Nov 22 15:19:51 %73280 GET /NR/rdonlyres/eqpbdbex34wpqpagp2fcbxh35omcjtq45feyf7 zgtjff6fhrybfbsvtszeu4rc2clayghhslfimaafkoocae6cv6wof/doctor.jpg (200 "OK" [161 5])/NR/rdonlyres/enhskrfoodzuquvmbli2hasjspusrgsvyhbd3nlue5msoli2ueagrwdxw56gqa aa7sosee3yn2hwywcg6kgv4wcv6jc/bigback.gif (200 "OK" [8192 (interrupted)])/NR/rd onlyres/ej2cpd275ghrefp23ezou43haqe6fmj3oyeqxkvopf4bv4zhwbqimfrrbndqpotx55pogc7 xiqvdcovaxo66afyqfof/smallleg.jpg (200 "OK" [1010]) Nov 22 15:22:12 %73280 GET /NR/rdonlyres/eirownz4tqwlseoggqm2ahj5cqsdbedlaxyye7 kvdz7rnh6u4o2v2gpvmoggqjlekzdtulryyatiinj3xwimmiavgfb/smallshoulders.gif (200 " OK" [1134]) Nov 22 15:22:13 %73280 GET /NR/rdonlyres/49D86A33-AF6C-4873-AD11-F26DDBF222B1.g if (200 "OK" [167])By examining this session it can clearly be seen that the session is simply a web visit to a fitness website. There is no need to investigate further.