Skip to content

Instantly share code, notes, and snippets.

@sethhall sethhall/conn.log
Created Apr 11, 2014

Embed
What would you like to do?
Bro Heartbleed detection with @erratarob's attempted evasion from https://twitter.com/erratarob/status/454431302482001921. (check the notice.log)
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path conn
#open 2014-04-10-21-40-58
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents
#types time string addr port addr port enum string interval count count string bool count string count count count count set[string]
1397173677.295334 CRVrQz4kM8bETkZAd9 10.20.30.165 5353 224.0.0.251 5353 udp dns 3.000172 120 0 S0 - 0 D 3 204 0 0 (empty)
1397173669.761904 C0oDrV3mAS653MpdGh 10.20.30.157 53669 10.20.30.165 443 tcp ssl 2.133122 257 5015 S1 - 0 ShADd 13 777 11 5459 (empty)
#close 2014-04-10-21-40-58
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path dns
#open 2014-04-10-21-40-58
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected
#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool
1397173677.295334 CRVrQz4kM8bETkZAd9 10.20.30.165 5353 224.0.0.251 5353 udp 0 _googlecast._tcp.local 1 C_INTERNET 12 PTR - - F F F F 0 - - F
1397173678.295392 CRVrQz4kM8bETkZAd9 10.20.30.165 5353 224.0.0.251 5353 udp 0 _googlecast._tcp.local 1 C_INTERNET 12 PTR - - F F F F 0 - - F
1397173680.295506 CRVrQz4kM8bETkZAd9 10.20.30.165 5353 224.0.0.251 5353 udp 0 _googlecast._tcp.local 1 C_INTERNET 12 PTR - - F F F F 0 - - F
#close 2014-04-10-21-40-58
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path files
#open 2014-04-10-21-40-58
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string
1397173671.818021 Fbe0Xz178NG1aHeiac 10.20.30.165 10.20.30.157 C0oDrV3mAS653MpdGh SSL 0 SHA1,X509,MD5 - - 0.000000 - F 429 - 0 0 F - 0c5fe3ec996ec9f653243786d8f9cbea 494d64afd12a1bcf06ad072fc361d7811c0cd401 - -
#close 2014-04-10-21-40-58
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2014-04-10-21-40-58
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
1397173671.826022 C0oDrV3mAS653MpdGh 10.20.30.157 53669 10.20.30.165 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack An TLS heartbleed attack was detected! Record length 20, payload length 4073 - 10.20.30.157 10.20.30.165 443 - bro Notice::ACTION_LOG 3600.000000 F - - - - -
1397173671.882025 C0oDrV3mAS653MpdGh 10.20.30.157 53669 10.20.30.165 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An TLS heartbleed attack was detected and probably exploited - 10.20.30.157 10.20.30.165 443 - bro Notice::ACTION_LOG 3600.000000 F - - - - -
#close 2014-04-10-21-40-58
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path ssl
#open 2014-04-10-21-40-58
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer
#types time string addr port addr port string string string string string bool vector[string] vector[string] string string string string
1397173671.813021 C0oDrV3mAS653MpdGh 10.20.30.157 53669 10.20.30.165 443 TLSv11 TLS_DHE_RSA_WITH_AES_256_CBC_SHA - - unknown-128 F Fbe0Xz178NG1aHeiac (empty) - - - -
#close 2014-04-10-21-40-58
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path weird
#open 2014-04-10-21-40-58
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer
#types time string addr port addr port string string bool string
1397173680.295506 - - - - - dns_unmatched_msg - F bro
#close 2014-04-10-21-40-58
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path x509
#open 2014-04-10-21-40-58
#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len
#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count
1397173671.818021 Fbe0Xz178NG1aHeiac 1 F60C39056AC1E9A9 CN=*.example.com. CN=*.example.com. 1397117048.000000 1428566648.000000 rsaEncryption sha1WithRSAEncryption rsa 1024 65537 - - - - - - -
#close 2014-04-10-21-40-58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.