2015-04-14 12:16 PM
Hi,
Is there a way to figure out Encrypted Communication?
Currently i am querying on "crypto exists" to pick encrypted traffic.
But i only see sessions on >service 443,22,25
However if i see mutiple >tcp.dstport values
Can you provide brief intro into how service is populated?
If there is a communication src:45673 -> dst:13022 (SSH Traffic)
Does this traffic records crypto as "aes256-cbc" and service is 22 ?
Currently i am assuming service is just populating alias for dstport for known services.
Please let me know if i am wrong.
Thanks,
Uma
2015-04-14 01:12 PM
Service is not just an alias for destination port. Service is registered by parsers which determine that a session conforms to a particular protocol regardless of ports.
For example, if there is an HTTP session on a port other than 80, the HTTP parser will still register the service as HTTP for that session. Likewise, if a session on port 80 is not HTTP then the HTTP parser will not register service as HTTP for that session.
Service meta itself is numeric, and those numbers correspond to the well-known port for that protocol. But don't confuse those values with the port used for the session.
For example,
service: 80
tcp.dstport: 1234
The value of service is "80", which will show up in the UI as "HTTP". But the destination port
is 1234. So this was an HTTP session on port 1234.
Another,
service: 22
tcp.dstport: 80
The value of service is "22", which will show up in the UI as "SSH". But the destination port
is 80. So this was an SSH session on port 80.
2015-04-14 12:35 PM
Uma, my understanding is that its populated by the network parsers bases on the expect port. So if it decodes as ssh, it will be service=22, even if it's actually on a destination port of 13022, or even on port 80. I.e., service is the actual protocol in use, regardless of the port.
Equally confusingly, network parsers typically populate udp.dstport or tcp.dstport, but firewall parsers populate ip.dstport and protocol. How we we supposed to correlate this stuff?
2015-04-14 01:12 PM
Service is not just an alias for destination port. Service is registered by parsers which determine that a session conforms to a particular protocol regardless of ports.
For example, if there is an HTTP session on a port other than 80, the HTTP parser will still register the service as HTTP for that session. Likewise, if a session on port 80 is not HTTP then the HTTP parser will not register service as HTTP for that session.
Service meta itself is numeric, and those numbers correspond to the well-known port for that protocol. But don't confuse those values with the port used for the session.
For example,
service: 80
tcp.dstport: 1234
The value of service is "80", which will show up in the UI as "HTTP". But the destination port
is 1234. So this was an HTTP session on port 1234.
Another,
service: 22
tcp.dstport: 80
The value of service is "22", which will show up in the UI as "SSH". But the destination port
is 80. So this was an SSH session on port 80.
2015-04-15 03:48 AM
Thanks Motley, That answers my question.