weird
Module
The weird
module processes unusual or exceptional
events. A number of these “shouldn't” or even “can't” happen,
yet they do. The general design philosophy of Bro is to check
for such events whenever possible, because they can reflect incorrect
assumptions (either Bro's or the user's), attempts by attackers to
confuse the monitor and evade detection, broken hardware, misconfigured
networks, and so on.
Weird events are divided into three categories, namely those pertaining
to: connections; flows (a pair of hosts, but for which a specific connection
cannot be identified); and network behavior (cannot be associated with a
pair of hosts). These categories have a total of four event handlers:
conn_weird
, conn_weird_addl
, flow_weird
, and net_weird
,
and in the corresponding sections below we
catalog the events handled by each. In addition, we separately catalog
the events generated by the standard scripts themselves
(See: Events generated by the standard scripts). Finally, two more weird events have their
own handlers, in order to associate detailed information with the event:
rexmit_inconsistency
and ack_above_hole
.
weird_file
is the logging file that
the module uses to record exceptional
events. It defaults to open_log_file("weird")
.
Note: While these events “shouldn't” happen, in reality they often do. For example, of the 73 listed below, a search of 10 months' worth of logs at LBNL shows that 42 were seen operationally. While some of the instances reflect attacks, the great majority are simply due to i) buggy implementations, ii) diverse use of the network, or iii) Bro bugs or limitations. Accordingly, you may initially be inclined to log each instance, but don't be surprised to find that you soon decide to only record many of them in the weird
file, or not record them at all. (For further discussion, see the section on “crud” in XXX bro-comp-networks-99.)