[Bro] caret and the stick
seth at corelight.com
Tue Sep 5 12:23:55 PDT 2017
On 5 Sep 2017, at 14:54, Allen, Brian wrote:
> Here is a line from our conn.log showing what I think is backscatter.
> (Our network is 22.214.171.124/16.)
> 128.252.X.Y 57756 126.96.36.199 80 tcp - - -
> - OTH T F 0 ^h 0 0
> 1 44
> So in this example, what was flipped exactly?
Good question! For background, Bro "flips" connections in there case
that it thinks it has orig and resp backwards. You nailed a very common
case where this will be true. Since backscatter will frequently have a
server port as the src port the "correct" way to view that connection
(if it was an actual full connection) would be to "flip" it and swap the
orig and resp.
In the case that you outlined, 188.8.131.52 sent a single packet (a
syn-ack based on the history field) with src port 80 and dst port 57756
(the likely actual ephemeral port). Since Bro initially had no context,
it viewed 184.108.40.206 as the originator since it was the first host that
seemed to send a packet. But, 80/tcp is registered as a likely server
port and no other analyzers attached to the connection so Bro flipped it
so that the likely server port was the resp_p.
Seth Hall * Corelight, Inc * www.corelight.com
More information about the Bro