Node: Examine HTTP FTP or SMTP Sessions, Next: , Previous: Understand the Intent of the Alarm(s), Up: Analysis of Incidents and Alarms



Examine HTTP FTP or SMTP Sessions

These three files record session activity on ports 80(http), 21(ftp), and 25(smtp) respectively. If the alarm involves any of these ports, these files may reveal the details of the sessions. The general format of all three files is: date/time<SP>%sessionnumber<SP>Message where:

is the time in UNIX epoch time. The cf utility can be used to convert this time to readable time. Reference Tech Manual
is the number assigned to session. All subsequent records in the file that are part of the session will retain this same session number. Session numbers are prefixed with the % sign.
is the message that Bro policy has formed to describe the session event. Typically the message will be:
In an alarm where the session number is given (typically in a SensitiveSignature alarm), a search on the session number in the appropriate file(s) will show the full sessons. See The bro/logs Directory.

Example:
Consider the following alarm:
Alarm: HTTP_SensitiveURI
       11/22_12.52.42                128.333.48.179 -> 80.143.378.186
                                           3091/tcp -> 80/tcp
       session: %73280
       payload: GET\/NR/rdonlyres/eirownz4tqwlseoggqm2ahj5cqsdbedlaxyye
                7kvdz7rnh6u4o2v2gpvmoggqjlekzdtulryyatiinj3xwimmiavgfb/
                smallshoulders.gif\ (200\ "OK"\ [1134])
From the payload shown, it is unclear what triggered the alarm. To investigate further, the entire session can be viewed: Example:
> grep %73280 http.hostname.04-11-22_12.52.42 | cf
Nov 22 15:18:30 %73280 start 128.333.48.179 > 80.143.378.186
Nov 22 15:18:30 %73280 GET /fitness/default.htm (200 "OK" [10473])
Nov 22 15:18:30 %73280 GET /javascripts/cms_common.js (304 "Not Modified"[0])
Nov 22 15:19:47 %73280 GET /food_nutrition/default.htm (200 "OK"[13177])
Nov 22 15:19:47 %73280 GET/NR/rdonlyres/eirwwu3xtlr22dkat5cim4ziupouzxb6kz4xb
zbr4zs255ca57cvv5mhcjcrmrfg6kpcrevyndo2za3yoi5esheiolf/News111904Dairy NotFor
Diet.jpg (200 "OK" [6572])
Nov 22 15:19:51 %73280 GET /NR/rdonlyres/0D25692F-D59A-4B90-AB53-8BBC9E75A286.
gif (200 "OK" [189])
Nov 22 15:19:51 %73280 GET /NR/rdonlyres/eqpbdbex34wpqpagp2fcbxh35omcjtq45feyf7
zgtjff6fhrybfbsvtszeu4rc2clayghhslfimaafkoocae6cv6wof/doctor.jpg (200 "OK" [161
5])/NR/rdonlyres/enhskrfoodzuquvmbli2hasjspusrgsvyhbd3nlue5msoli2ueagrwdxw56gqa
aa7sosee3yn2hwywcg6kgv4wcv6jc/bigback.gif (200 "OK" [8192 (interrupted)])/NR/rd
onlyres/ej2cpd275ghrefp23ezou43haqe6fmj3oyeqxkvopf4bv4zhwbqimfrrbndqpotx55pogc7
xiqvdcovaxo66afyqfof/smallleg.jpg (200 "OK" [1010])
Nov 22 15:22:12 %73280 GET /NR/rdonlyres/eirownz4tqwlseoggqm2ahj5cqsdbedlaxyye7
kvdz7rnh6u4o2v2gpvmoggqjlekzdtulryyatiinj3xwimmiavgfb/smallshoulders.gif (200 "
OK" [1134])
Nov 22 15:22:13 %73280 GET /NR/rdonlyres/49D86A33-AF6C-4873-AD11-F26DDBF222B1.g
if (200 "OK" [167])
By examining this session it can clearly be seen that the session is simply a web visit to a fitness website. There is no need to investigate further.