[Bro-Dev] [JIRA] (BIT-1236) topic/jsiwek/flip-on-syn-ack
jmellander at lbl.gov
Mon Aug 25 16:45:28 PDT 2014
It would be nice to have an optional hook to the script-level, which could
signal Bro as to which side is the originator, if the 3-way handshake was
missed. There are a number of cases where we could use local site
knowledge to definitively identify originator & responder.
On Mon, Aug 25, 2014 at 2:40 PM, Vlad Grigorescu <vlad at grigorescu.org>
> This ties into something I had noticed recently. Certain scanning tools
> like to use the same source port per destination IP (I imagine to cache
> portions of the TCP header). During these scans, multiple TCP connections
> occur. Bro saw traffic that had:
> - A connection that was setup and torn down as expected (conn_state ==
> - A few minutes pass
> - A second connection that was setup and torn down as expected, *except*
> that the first SYN was missed - either by Bro or upstream loss.
> Bro considered these the same connection.
> Does it makes sense that following a connection teardown, if a SYN-ACK is
> seen, a new connection begins, instead of using the existing connection? I
> can probably grab a PCAP if necessary.
> On Mon, Aug 25, 2014 at 4:32 PM, Jon Siwek (JIRA) <
> jira at bro-tracker.atlassian.net> wrote:
>> Jon Siwek updated BIT-1236:
>> Status: Merge Request (was: Open)
>> > topic/jsiwek/flip-on-syn-ack
>> > ----------------------------
>> > Key: BIT-1236
>> > URL: https://bro-tracker.atlassian.net/browse/BIT-1236
>> > Project: Bro Issue Tracker
>> > Issue Type: Improvement
>> > Components: Bro
>> > Affects Versions: git/master
>> > Reporter: Jon Siwek
>> > Assignee: Robin Sommer
>> > Fix For: 2.4
>> > This branch is in bro and bro-testing-private.
>> > The goal is the same as https://github.com/bro/bro/pull/11, but I have
>> it flip roles at an even earlier point in the code path or else I notice
>> some inconsistencies in things like connection history strings or the
>> connsize analyzer counters (which were probably also issues w/ the old
>> flipping method).
>> This message was sent by Atlassian JIRA
>> bro-dev mailing list
>> bro-dev at bro.org
> bro-dev mailing list
> bro-dev at bro.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bro-dev