[Bro-Dev] [JIRA] (BIT-1236) topic/jsiwek/flip-on-syn-ack

Vlad Grigorescu vlad at grigorescu.org
Mon Aug 25 14:40:11 PDT 2014 

This ties into something I had noticed recently. Certain scanning tools
like to use the same source port per destination IP (I imagine to cache
portions of the TCP header). During these scans, multiple TCP connections
occur. Bro saw traffic that had:

 - A connection that was setup and torn down as expected (conn_state ==
"SF")
 - A few minutes pass
 - A second connection that was setup and torn down as expected, *except*
that the first SYN was missed - either by Bro or upstream loss.

Bro considered these the same connection.

Does it makes sense that following a connection teardown, if a SYN-ACK is
seen, a new connection begins, instead of using the existing connection? I
can probably grab a PCAP if necessary.

  --Vlad


On Mon, Aug 25, 2014 at 4:32 PM, Jon Siwek (JIRA) <
jira at bro-tracker.atlassian.net> wrote:

>
>      [
> https://bro-tracker.atlassian.net/browse/BIT-1236?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
> ]
>
> Jon Siwek updated BIT-1236:
> ---------------------------
>     Status: Merge Request  (was: Open)
>
> > topic/jsiwek/flip-on-syn-ack
> > ----------------------------
> >
> >                 Key: BIT-1236
> >                 URL: https://bro-tracker.atlassian.net/browse/BIT-1236
> >             Project: Bro Issue Tracker
> >          Issue Type: Improvement
> >          Components: Bro
> >    Affects Versions: git/master
> >            Reporter: Jon Siwek
> >            Assignee: Robin Sommer
> >             Fix For: 2.4
> >
> >
> > This branch is in bro and bro-testing-private.
> > The goal is the same as https://github.com/bro/bro/pull/11, but I have
> it flip roles at an even earlier point in the code path or else I notice
> some inconsistencies in things like connection history strings or the
> connsize analyzer counters (which were probably also issues w/ the old
> flipping method).
>
>
>
> --
> This message was sent by Atlassian JIRA
> (v6.4-OD-04-006#64001)
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20140825/6bca1a1a/attachment.html

More information about the bro-dev mailing list