[Bro-Dev] #285: unsolicited SYN|ACK leads to Event(connection_established) in TCP.cc

Bro Tracker bro-dev at bro-ids.org
Wed Sep 29 12:25:57 PDT 2010

#285: unsolicited SYN|ACK leads to Event(connection_established) in TCP.cc
 Reporter:  hartley.87@…        |       Type:  Problem
   Status:  new                 |   Priority:  Normal 
Component:  Bro                 |    Version:  1.5.1  
 Keywords:                      |  
 In TCP_Analyzer::UpdateInactiveState, in line 674 (of TCP.cc, bro 1.5.1),
 Weird() is called with "unsolicited_SYN_response" but then
 the following code is run, creating a connection_established event in bro.


                         if ( peer->state != TCP_ENDPOINT_PARTIAL )
 I manually anonymized our IP in the packet, otherwise it is as it was on
 the wire. This came up because there is a bro script we use (attr. Seth
 Hall) that fires on connection_established -- otherwise I'd never have
 noticed.  It still consumes a modest amount of memory for the session

 This packet has SYN|ACK, was unsolicited and has seq = ack = 0 but I don't
 think that's a component of the issue.  I'll forge one differently, try it
 and update the ticket when I get a chance.

 Perhaps the StatusUpdateTimer() is meant to delete this event but fails to
 do so because of another feature of the packet.  Like I said, I'm new to
 this code.

 I was thinking of just returning after the Weird() but it's clear that's
 not the right thing
 to do since other flags may go unprocessed.  I spoke with Seth Hall about
 this but I
 wanted to create a ticket as well.

Ticket URL: <http://tracker.icir.org/bro/ticket/285>
Bro Tracker <http://tracker.icir.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list