Node: Examine the Connection and Weird Logs, Next: Examine the Bulk Trace if Available, Previous: Examine HTTP FTP or SMTP Sessions, Up: Analysis of Incidents and Alarms
The connection logs are a record of every connection Bro detects. Although they don't contain content, being able to track the network movement of an attacking host is often very useful.
If it is still not clear if a suspect host is an attacker, the connection surrounding the suspicious connection can be examined. Here are some questions that might be answered by the conn
logs.
itemize
item How many more successful connection the attacker make to the target host?
item How much data was transfered? A lot of data means something more than an unsuccessful probe.
item Did the target host connect back to the attacker? This is a fairly sure sign of a successful attack. The attacker has gained control of the target and is connecting back to his own host.
item What was the time duration? If several attacks occur in a very short time and then slow down to human speed, it could indicate the attacker used an automated attack to gain control and then switched to a manual mode to "work on" the compromised target host.
If a host has been successfully identified as an attacker, it is useful to know what and how many other hosts the attacker has touched. This can be found by grepping through the conn
logs for instances of connections by the suspect host.
example hereIf the attack used a specific, little used, port; another investigation would be to search for other similar connection using that port. Often the attacker might change attack hosts, but will continue to use the same attack method.
example here
You may want to go back several days, weeks, months, or even years to see if the attacker has visited (and perhaps compromised) you site earlier without being detected.
However, be forwarned that theconn
logs tend to get very large and doing extensive searches can take a very long time.
Despite attempts to have the network community adhere to network standards, non-compliant traffic occurs all the time. The weird
logs are a record of instances of network traffic that simply should not happen.
While these logs are usually of interest to the most hard-core of network engineers, if a unique attack is detected, it is sometimes valuable to search the weird logs for other unusual activities by the attacking host. Hackers are not bound by standard protocol and sometimes find ways to circumvent security via weird methods.