[Bro-Dev] connection_established behavior
Gregor Maier
gregor at icir.org
Tue Dec 14 08:35:26 PST 2010
The reason is why the behavior differs is, that the "connection" has
only one packet and thus the ConnectionCompressor will not instantiate
the full Connection. If there were a packet from the other endpoint
after the SYN/ACK, then ConnectionCompressor would instantiate a
connection and you should see the same behavior when the packets are
passed to the TCP Analyzer (i.e., you would the Weird and the
connection_established event)
cu
Gregor
On 12/14/10 8:05 , Seth Hall wrote:
> This is related to this ticket: http://tracker.icir.org/bro/ticket/285
>
> I am fairly lost on this, hopefully someone will have insight into the behavior. In the following snippet of code, there's a strange behavior (maybe intentional?) where a packet with SYN/ACK flags set and no other packets related to the connection are seen, the connection_established event will be generated.
>
> ====CODE====
> if ( peer->state == TCP_ENDPOINT_SYN_SENT )
> peer->SetState(TCP_ENDPOINT_ESTABLISHED);
> else if ( peer->state == TCP_ENDPOINT_INACTIVE )
> {
> // If we were to ignore SYNs and
> // only instantiate state on SYN
> // acks, then we'd do:
> // peer->SetState(TCP_ENDPOINT_ESTABLISHED);
> // here.
> Weird("unsolicited_SYN_response");
> }
>
> endpoint->SetState(TCP_ENDPOINT_ESTABLISHED);
> ====END CODE====
>
> This only seems to be true when the connection compressor is disabled though. The connection compressor *seems* to prevent this effect. I'll include steps to reproduce the problem here and I'll attach the example tracefile to this email...
>
> ===POLICY SCRIPT (test.bro)===
> @load conn
> event connection_established(c: connection)
> {
> print fmt("gah! there shouldn't be a connection established (%s)", id_string(c$id));
> }
> ===END POLICY SCRIPT===
>
> Here's the output with a connection established that shouldn't happen:
> [seth at Blake build (master)]$ ./src/bro -C -f "ip" -r connection_established-problem.trace test use_connection_compressor=F
> 1285716061.336160 weird: unsolicited_SYN_response
> gah! there shouldn't be a connection established (128.146.242.61/3072 > 121.254.178.6/http)
>
> Here's the (lack of) output with the connection compressor enabled:
> [seth at Blake build (master)]$ ./src/bro -C -f "ip" -r connection_established-problem.trace test use_connection_compressor=T
> [seth at Blake build (master)]$
>
> I also disabled the checksum validation because the TCP header has an invalid checksum in the packet for some reason.
>
> Sorry for the long email, but any thoughts on the behavior of the sans connection compressor behavior?
>
> .Seth
>
>
>
>
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro-ids.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
--
Gregor Maier gregor at icir.org
Int. Computer Science Institute (ICSI) gregor at icsi.berkeley.edu
1947 Center St., Ste. 600 http://www.icir.org/gregor/
Berkeley, CA 94704
USA
More information about the bro-dev
mailing list