Ah! it is obvious now! Yep that was it. Its a relatively slow scan and I only extracted all activity for this specific source IP out of timemachine.
I didn't see this behavior in other test cases because there I pull scanners based on ports so somewhat of more 'fluid' traffic. Thanks, Aashish On Fri, Apr 13, 2018 at 07:46:33AM -0400, Seth Hall wrote: > > > On 13 Apr 2018, at 0:30, Aashish Sharma wrote: > > > So I am seeing some weird stuff in my sample pcap of scanners. May be > > too > > obvious and I am just not seeing why/how of it. > > It's a straight forward answer but not completely obvious. :) > > > Q. Why would connection_attempt event kick in after 36 minutes and 6 > > seconds ? ( > > 06:13:48 - 05:37:42 ) ? > > I bet that you have a jump in timestamps in your pcap. Since Bro's internal > clock is driven forward by seeing timestamps associated with packets it's > possible that your pcap has a 36 minute jump in timestamps so Bro couldn't > have possibly expired anything in the time before that because from its > perspective there was an immediate jump in time. You don't normally > experience the effects of this behavior in traffic you're sniffing live > because you will tend to have many packets every second so you see Bro's > clock driven forward in very tiny increments as you would expect. If you go > a long time without receiving a packet is when stuff gets tricky. > > .Seth > > -- > Seth Hall * Corelight, Inc * www.corelight.com _______________________________________________ bro-dev mailing list firstname.lastname@example.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev