[Bro-Dev] #285: unsolicited SYN|ACK leads to Event(connection_established) in TCP.cc
Bro Tracker
bro-dev at bro-ids.org
Wed Sep 29 12:25:57 PDT 2010
#285: unsolicited SYN|ACK leads to Event(connection_established) in TCP.cc
--------------------------------+-------------------------------------------
Reporter: hartley.87@… | Type: Problem
Status: new | Priority: Normal
Component: Bro | Version: 1.5.1
Keywords: |
--------------------------------+-------------------------------------------
In TCP_Analyzer::UpdateInactiveState, in line 674 (of TCP.cc, bro 1.5.1),
Weird() is called with "unsolicited_SYN_response" but then
the following code is run, creating a connection_established event in bro.
endpoint->SetState(TCP_ENDPOINT_ESTABLISHED);
if ( peer->state != TCP_ENDPOINT_PARTIAL )
{
Event(connection_established);
Conn()->EnableStatusUpdateTimer();
}
}
I manually anonymized our IP in the packet, otherwise it is as it was on
the wire. This came up because there is a bro script we use (attr. Seth
Hall) that fires on connection_established -- otherwise I'd never have
noticed. It still consumes a modest amount of memory for the session
timeout..
This packet has SYN|ACK, was unsolicited and has seq = ack = 0 but I don't
think that's a component of the issue. I'll forge one differently, try it
and update the ticket when I get a chance.
Perhaps the StatusUpdateTimer() is meant to delete this event but fails to
do so because of another feature of the packet. Like I said, I'm new to
this code.
I was thinking of just returning after the Weird() but it's clear that's
not the right thing
to do since other flags may go unprocessed. I spoke with Seth Hall about
this but I
wanted to create a ticket as well.
--
Ticket URL: <http://tracker.icir.org/bro/ticket/285>
Bro Tracker <http://tracker.icir.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list