[Bro] SYN/ACK Attack
tgdesrochers at gmail.com
Sun Jul 24 08:01:37 PDT 2016
I have been seeing A LOT of SYN/ACK attacks lately on my net and it seems
that every time Bro is switching the orig and resp IP's. Luckily the
history column has helped me determine which IP is the true src.
Also, I have SiLK running on my bro sensors and the netflow traffic I get
from SiLK is identifying the true src and resp IP addresses but Bro seems
to switch the IP addresses. Is this because Bro thinks it missed the SYN
packet so it switches the IP's? Should it be doing this?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro