[Bro-Dev] connection_established behavior

[Seth Hall]

On Dec 14, 2010, at 11:35 AM, Gregor Maier wrote:

> The reason is why the behavior differs is, that the "connection" has
> only one packet and thus the ConnectionCompressor will not instantiate
> the full Connection. If there were a packet from the other endpoint
> after the SYN/ACK, then ConnectionCompressor would instantiate a
> connection and you should see the same behavior when the packets are
> passed to the TCP Analyzer (i.e., you would the Weird and the
> connection_established event)


I guess then I'm interested to hear everyone's take on this due to spoofed syn packets (remote machines at other sites responding to spoofed traffic appearing to come from your address space).  If there is nothing listening at the site's address that a spurious syn-ack is directed, then you could see a lot of connection_established events generated if you aren't running the connection compressor due to no rst packet being sent back.  I would expect most sites would be running the connection compressor when running on live traffic, but they seem to be having this issue at OSU and as best I can tell, they're running the connection compressor.  I'm still trying to replicate the problem exactly as they're seeing it though.  Hopefully I have some more information on this soon.

The problem with this for the guys at OSU is if the connection_established event ends up being generated and the responder is on a list of known-bad sites then they get an alert about a connection to a botnet or something when there wasn't really a connection at all, just a spurious syn-ack.

  .Seth