Next: , Previous: SSL Analyzer, Up: Analyzers and Events



7.24 The weird Module

The weird module processes unusual or exceptional events. A number of these “shouldn't” or even “can't” happen, yet they do. The general design philosophy of Bro is to check for such events whenever possible, because they can reflect incorrect assumptions (either Bro's or the user's), attempts by attackers to confuse the monitor and evade detection, broken hardware, misconfigured networks, and so on.

Weird events are divided into three categories, namely those pertaining to: connections; flows (a pair of hosts, but for which a specific connection cannot be identified); and network behavior (cannot be associated with a pair of hosts). These categories have a total of four event handlers: conn_weird, conn_weird_addl, flow_weird, and net_weird, and in the corresponding sections below we catalog the events handled by each. In addition, we separately catalog the events generated by the standard scripts themselves (See: Events generated by the standard scripts). Finally, two more weird events have their own handlers, in order to associate detailed information with the event: rexmit_inconsistency and ack_above_hole.

weird_file is the logging file that the module uses to record exceptional events. It defaults to open_log_file("weird").

Note: While these events “shouldn't” happen, in reality they often do. For example, of the 73 listed below, a search of 10 months' worth of logs at LBNL shows that 42 were seen operationally. While some of the instances reflect attacks, the great majority are simply due to i) buggy implementations, ii) diverse use of the network, or iii) Bro bugs or limitations. Accordingly, you may initially be inclined to log each instance, but don't be surprised to find that you soon decide to only record many of them in the weird file, or not record them at all. (For further discussion, see the section on “crud” in XXX bro-comp-networks-99.)