[Bro] originator/responder possibly swapped

Hoelzer, Dave dhoelzer at sans.org
Thu Jul 21 11:47:31 PDT 2016

It could be that Bro missed the first packet in the exchange. The originator will be whoever it sees first, afaik.

From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Tim Desrochers
Sent: Thursday, July 21, 2016 12:35 PM
To: bro at bro.org
Subject: [Bro] originator/responder possibly swapped

Is it possible for bro to swap the originator and responder IP addresses in its logs.

Below you will see the only conn.log I have for a IP address.  The originator is the external host and responder is the internal IP of my org.  Then every other log I have ssh and notice where this IP shows up the originator is my internal host and the responder is the external IP.

conn.15: 00: 00-16: 00: 00.log.gz: {
            "ts": 1469114110842,
            "uid": "ClvNzi2EnWQnmykMZ7",
            "id.orig_h": "EXTERNAL IP",
            "id.orig_p": 15000,
            "id.resp_h": "INTERNAL HOST",
            "id.resp_p": 1043,
            "proto": "tcp",
            "duration": 0.658319,
            "orig_bytes": 416,
            "resp_bytes": 976,
            "conn_state": "SF",
            "local_orig": false,
            "local_resp": true,
            "missed_bytes": 0,
            "history": "DadAfF",
            "orig_pkts": 12,
            "orig_ip_bytes": 1040,
            "resp_pkts": 10,
            "resp_ip_bytes": 1496,
            "tunnel_parents": [],
            "orig_cc": "US",
            "sensorname": "SENSOR-1"
}notice.15: 00: 00-16: 00: 00.log.gz: {
            "ts": 1469113976350,
            "uid": "CseS0Q2AQ0biwoE97g",
            "id.orig_h": "INTERNAL HOST",
            "id.orig_p": 1024,
            "id.resp_h": "EXTERNAL IP",
            "id.resp_p": 15000,
            "proto": "tcp",
            "note": "SSH::Interesting_Hostname_Login",
            "msg": "Possible SSH login involving a remote server with an interesting hostname.",
            "sub": "EXTERNAL DOMAIL",
            "src": "",
            "dst": "EXTERNAL IP",
            "p": 15000,
            "peer_descr": "SENSOR-1",
            "actions": ["Notice::ACTION_EMAIL",
            "suppress_for": 3600.0,
            "dropped": false
}ssh.15: 00: 00-16: 00: 00.log.gz: {
            "ts": 1469116787409,
            "uid": "CWQdeiL75K07BRtb4",
            "id.orig_h": "INTERNAL HOST",
            "id.orig_p": 1427,
            "id.resp_h": "EXTERNAL IP",
            "id.resp_p": 15000,
            "version": 2,
            "auth_success": true,
            "direction": "OUTBOUND",
            "client": "SSH-2.0-OpenSSH_3.1p1",
            "server": "SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2",
            "cipher_alg": "aes128-cbc",
            "mac_alg": "hmac-md5",
            "compression_alg": "none",
            "kex_alg": "diffie-hellman-group-exchange-sha1",
            "host_key_alg": "ssh-rsa",
            "host_key": "REMOVED",
            "remote_location.country_code": "US"

Thoughts as to why?  Also, I know I saw this come up before but it has been burried, does auth_success:true indicate that ssh authentication was successful
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160721/0ce92f16/attachment-0001.html 

More information about the Bro mailing list