This section is still under developpement


The NIDS BRO is currently running. The implementation is under developpement.

Bro weird.log file extract :

timestampsource_ipsource_portdest_ipdest_portmsg
2014-02-15T15:02:22+010041.249.206.9350103192.168.0.11180bad_TCP_checksum
2014-02-15T15:03:18+010084.64.12.1816724192.168.0.11180bad_HTTP_request
2014-02-15T15:03:18+010084.64.12.1816724192.168.0.11180bad_TCP_checksum
2014-02-15T15:06:13+0100178.41.163.2411313192.168.0.11180bad_HTTP_request
2014-02-15T15:30:48+010054.221.70.13860332192.168.0.11180bad_TCP_checksum
2014-02-15T15:32:04+010092.1.72.19329987192.168.0.11180bad_HTTP_request
2014-02-15T15:43:33+0100202.46.48.1849083192.168.0.11180bad_TCP_checksum
2014-02-15T15:43:39+0100119.63.193.13138334192.168.0.11180bad_TCP_checksum
2014-02-15T15:46:31+0100208.43.251.18012287192.168.0.11180bad_TCP_checksum
2014-02-15T15:51:59+010084.64.12.18129272192.168.0.11180bad_HTTP_request

Bro connection summary :


>== Total === 2013-12-31-19-48-07 - 2014-01-01-23-59-48

- Connections 37.0k - Payload 43.4m -
Ports Sources Destinations Services Protocols States
5355 51.3% 192.168.0.11#1 20.2% ff02::1:3#2 25.8% dns 55.9% 17 88.5% S0 85.3%
1900 25.5% fe80::2971:2c44:5ba9:8e48#3 18.6% 224.0.0.252#4 25.5% - 40.1% 6 7.3% SF 6.4%
80 6.1% 192.168.27.14#5 17.4% 239.255.255.250#6 24.5% dhcp 2.6% 1 4.2% OTH 4.8%
136 3.7% 192.168.0.2#7 3.9% 192.168.0.111#8 7.2% http 1.4% SHR 2.8%
67 2.6% fe80::e1ec:6b10:cd1b:d44e#9 3.3% 192.168.0.255#10 4.1% smtp 0.0% RSTO 0.5%
137 2.5% fe80::9d6:a4bd:1c5c:3f82#11 3.3% 255.255.255.255#12 2.5% S2 0.1%
53 1.8% 192.168.0.16#13 3.3% 8.8.8.8#14 1.8% S1 0.1%
138 1.5% 192.168.0.15#15 3.2% ff02::c#16 1.5% S3 0.1%
547 1.3% 192.168.0.111#17 2.7% ff02::1:2#18 1.3% RSTR 0.0%
3306 1.2% 192.168.0.13#19 2.3% ff02::1:ff9f:933d#20 0.8% RSTRH 0.0%


1=UNKNOWN
2=UNKNOWN
3=UNKNOWN

4=UNKNOWN
5=UNKNOWN
6=UNKNOWN

7=UNKNOWN
8=UNKNOWN
9=UNKNOWN

10=UNKNOWN
11=UNKNOWN
12=UNKNOWN

13=UNKNOWN
14=google-public-dns-a.google.com
15=UNKNOWN

16=UNKNOWN
17=UNKNOWN
18=UNKNOWN

19=UNKNOWN
20=UNKNOWN


>== Top 10 local networks by number of connections


1 24.8k 192.168.0.0/16 Private IP space


>== 12206 connections did not have any local address. Here are the first 10:


fe80::224:d4ff:fec2:6bf3 <-> ff02::1:ff9f:933d
fe80::e9a0:c958:58f9:7d9a <-> ff02::1:ffe9:f3f1
fe80::9879:b0c4:7ce9:f3f1 <-> ff02::1:fff9:7d9a
fe80::9879:b0c4:7ce9:f3f1 <-> ff02::1:3
fe80::2971:2c44:5ba9:8e48 <-> ff02::1:3

>== Incoming === 2014-01-01-00-13-06 - 2014-01-01-23-49-34

- Connections 2.3k - Payload 12.3m -
Ports Sources Destinations Services Protocols States
80 99.0% 109.13.174.102#1 5.2% 192.168.0.111#2 99.0% - 76.2% 6 99.0% SF 85.0%
67 1.0% 158.181.248.191#3 4.7% 192.168.0.254#4 1.0% http 22.8% 17 1.0% RSTO 8.2%
158.181.217.198#5 3.8% dhcp 1.0% S2 2.4%
91.178.204.242#6 3.2% SHR 1.9%
109.28.62.101#7 3.2% S1 1.2%
2.28.225.191#8 2.9% S3 0.9%
88.138.34.220#9 2.7% RSTR 0.4%
83.197.193.33#10 2.4% RSTRH 0.0%
197.9.7.26#11 2.2% OTH 0.0%
188.110.234.140#12 2.1%


1=102.174.13.109.rev.sfr.net
2=UNKNOWN
3=UNKNOWN

4=UNKNOWN
5=UNKNOWN
6=242.204-178-91.adsl-dyn.isp.belgacom.be

7=101.62.28.109.rev.sfr.net
8=UNKNOWN
9=220.34.138.88.rev.sfr.net

10=ANice-651-1-447-33.w83-197.abo.wanadoo.fr
11=UNKNOWN
12=dslb-188-110-234-140.pools.arcor-ip.net



>== Outgoing === 2013-12-31-19-48-08 - 2014-01-01-23-59-48

- Connections 22.5k - Payload 22.9m -
Ports Sources Destinations Services Protocols States
5355 41.9% 192.168.0.11#1 33.2% 224.0.0.252#2 41.9% dns 49.3% 17 97.9% S0 92.7%
1900 39.8% 192.168.27.14#3 28.5% 239.255.255.250#4 40.2% - 46.8% 6 2.1% SHR 4.3%
137 4.1% 192.168.0.2#5 6.4% 192.168.0.255#6 6.7% dhcp 3.9% SF 2.0%
67 3.9% 192.168.0.16#7 5.4% 255.255.255.255#8 3.9% http 0.0% OTH 0.9%
53 3.0% 192.168.0.15#9 5.3% 8.8.8.8#10 2.9% smtp 0.0% RSTO 0.0%
138 2.5% 192.168.0.111#11 4.5% 192.168.0.111#12 2.0% RSTR 0.0%
3306 2.0% 192.168.0.13#13 3.8% 224.0.0.251#14 0.4%
123 1.5% 192.168.0.17#15 2.4% 216.66.0.142#16 0.4%
5353 0.4% 192.168.0.25#17 2.2% 212.83.133.51#18 0.4%
3702 0.4% 192.168.0.199#19 2.0% 69.167.160.102#20 0.4%


1=UNKNOWN
2=UNKNOWN
3=UNKNOWN

4=UNKNOWN
5=UNKNOWN
6=UNKNOWN

7=UNKNOWN
8=UNKNOWN
9=UNKNOWN

10=google-public-dns-a.google.com
11=UNKNOWN
12=UNKNOWN

13=UNKNOWN
14=UNKNOWN
15=UNKNOWN

16=ccadmin.cycoresys.com
17=UNKNOWN
18=kitty.zeroloop.net

19=UNKNOWN
20=host2.kingrst.com


>== 192.168.0.0/16 Private IP space === 2013-12-31-19-48-08 - 2014-01-01-23-59-48

- Connections 24.8k - Payload 35.2m -
Ports Sources Destinations Services Protocols States
5355 38.1% 192.168.0.11#1 30.2% 224.0.0.252#2 38.1% - 49.4% 17 89.1% S0 84.3%
1900 36.2% 192.168.27.14#3 25.9% 239.255.255.250#4 36.5% dns 44.8% 6 10.9% SF 9.5%
80 9.1% 192.168.0.2#5 5.8% 192.168.0.111#6 10.8% dhcp 3.6% SHR 4.1%
137 3.7% 192.168.0.16#7 4.9% 192.168.0.255#8 6.1% http 2.1% OTH 0.8%
67 3.6% 192.168.0.15#9 4.8% 255.255.255.255#10 3.6% smtp 0.0% RSTO 0.8%
53 2.8% 192.168.0.111#11 4.1% 8.8.8.8#12 2.7% S2 0.2%
138 2.3% 192.168.0.13#13 3.5% 224.0.0.251#14 0.3% S1 0.1%
3306 1.8% 192.168.0.17#15 2.2% 216.66.0.142#16 0.3% S3 0.1%
123 1.3% 192.168.0.25#17 2.0% 212.83.133.51#18 0.3% RSTR 0.1%
5353 0.4% 192.168.0.199#19 1.8% 69.167.160.102#20 0.3% RSTRH 0.0%


1=UNKNOWN
2=UNKNOWN
3=UNKNOWN

4=UNKNOWN
5=UNKNOWN
6=UNKNOWN

7=UNKNOWN
8=UNKNOWN
9=UNKNOWN

10=UNKNOWN
11=UNKNOWN
12=google-public-dns-a.google.com

13=UNKNOWN
14=UNKNOWN
15=UNKNOWN

16=ccadmin.cycoresys.com
17=UNKNOWN
18=kitty.zeroloop.net

19=UNKNOWN
20=host2.kingrst.com

First: 2013-12-31-19-48-07 (1388515687.266047) Last: 2014-01-01-23-59-48 1388617188.795513
0:51.37 real, 15.99 user, 4.03 sys, 0K total memory