It would be nice to have an optional hook to the script-level, which could signal Bro as to which side is the originator, if the 3-way handshake was missed. There are a number of cases where we could use local site knowledge to definitively identify originator & responder.
On Mon, Aug 25, 2014 at 2:40 PM, Vlad Grigorescu <[email protected]> wrote: > This ties into something I had noticed recently. Certain scanning tools > like to use the same source port per destination IP (I imagine to cache > portions of the TCP header). During these scans, multiple TCP connections > occur. Bro saw traffic that had: > > - A connection that was setup and torn down as expected (conn_state == > "SF") > - A few minutes pass > - A second connection that was setup and torn down as expected, *except* > that the first SYN was missed - either by Bro or upstream loss. > > Bro considered these the same connection. > > Does it makes sense that following a connection teardown, if a SYN-ACK is > seen, a new connection begins, instead of using the existing connection? I > can probably grab a PCAP if necessary. > > --Vlad > > > On Mon, Aug 25, 2014 at 4:32 PM, Jon Siwek (JIRA) < > [email protected]> wrote: > >> >> [ >> https://bro-tracker.atlassian.net/browse/BIT-1236?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel >> ] >> >> Jon Siwek updated BIT-1236: >> --------------------------- >> Status: Merge Request (was: Open) >> >> > topic/jsiwek/flip-on-syn-ack >> > ---------------------------- >> > >> > Key: BIT-1236 >> > URL: https://bro-tracker.atlassian.net/browse/BIT-1236 >> > Project: Bro Issue Tracker >> > Issue Type: Improvement >> > Components: Bro >> > Affects Versions: git/master >> > Reporter: Jon Siwek >> > Assignee: Robin Sommer >> > Fix For: 2.4 >> > >> > >> > This branch is in bro and bro-testing-private. >> > The goal is the same as https://github.com/bro/bro/pull/11, but I have >> it flip roles at an even earlier point in the code path or else I notice >> some inconsistencies in things like connection history strings or the >> connsize analyzer counters (which were probably also issues w/ the old >> flipping method). >> >> >> >> -- >> This message was sent by Atlassian JIRA >> (v6.4-OD-04-006#64001) >> _______________________________________________ >> bro-dev mailing list >> [email protected] >> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev >> > > > _______________________________________________ > bro-dev mailing list > [email protected] > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev > >
_______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
