[Bro-Dev] connection_established behavior

Gregor Maier gregor at icir.org
Tue Dec 14 08:35:26 PST 2010 

The reason is why the behavior differs is, that the "connection" has
only one packet and thus the ConnectionCompressor will not instantiate
the full Connection. If there were a packet from the other endpoint
after the SYN/ACK, then ConnectionCompressor would instantiate a
connection and you should see the same behavior when the packets are
passed to the TCP Analyzer (i.e., you would the Weird and the
connection_established event)

cu
Gregor

On 12/14/10 8:05 , Seth Hall wrote:
> This is related to this ticket: http://tracker.icir.org/bro/ticket/285
> 
> I am fairly lost on this, hopefully someone will have insight into the behavior.  In the following snippet of code, there's a strange behavior (maybe intentional?) where a packet with SYN/ACK flags set and no other packets related to the connection are seen, the connection_established event will be generated.
> 
> ====CODE====
> 			if ( peer->state == TCP_ENDPOINT_SYN_SENT )
> 				peer->SetState(TCP_ENDPOINT_ESTABLISHED);
> 			else if ( peer->state == TCP_ENDPOINT_INACTIVE )
> 				{
> 				// If we were to ignore SYNs and
> 				// only instantiate state on SYN
> 				// acks, then we'd do:
> 				//    peer->SetState(TCP_ENDPOINT_ESTABLISHED);
> 				// here.
> 				Weird("unsolicited_SYN_response");
> 				}
> 
> 			endpoint->SetState(TCP_ENDPOINT_ESTABLISHED);
> ====END CODE====
> 
> This only seems to be true when the connection compressor is disabled though.  The connection compressor *seems* to prevent this effect.  I'll include steps to reproduce the problem here and I'll attach the example tracefile to this email...
> 
> ===POLICY SCRIPT (test.bro)===
> @load conn
> event connection_established(c: connection)
> 	{
> 	print fmt("gah! there shouldn't be a connection established (%s)", id_string(c$id));
> 	}
> ===END POLICY SCRIPT===
> 
> Here's the output with a connection established that shouldn't happen:
> [seth at Blake build (master)]$ ./src/bro -C -f "ip"  -r connection_established-problem.trace test use_connection_compressor=F
> 1285716061.336160 weird: unsolicited_SYN_response
> gah! there shouldn't be a connection established (128.146.242.61/3072 > 121.254.178.6/http)
> 
> Here's the (lack of) output with the connection compressor enabled:
> [seth at Blake build (master)]$ ./src/bro -C -f "ip"  -r connection_established-problem.trace test use_connection_compressor=T
> [seth at Blake build (master)]$ 
> 
> I also disabled the checksum validation because the TCP header has an invalid checksum in the packet for some reason.
> 
> Sorry for the long email, but any thoughts on the behavior of the sans connection compressor behavior?
> 
>   .Seth
> 
> 
> 
> 
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro-ids.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev


-- 
Gregor Maier                                             gregor at icir.org
Int. Computer Science Institute (ICSI)          gregor at icsi.berkeley.edu
1947 Center St., Ste. 600                    http://www.icir.org/gregor/
Berkeley, CA 94704
USA

More information about the bro-dev mailing list