[Bro-Dev] [JIRA] (BIT-1236) topic/jsiwek/flip-on-syn-ack

Jim Mellander jmellander at lbl.gov
Mon Aug 25 16:45:28 PDT 2014


It would be nice to have an optional hook to the script-level, which could
signal Bro as to which side is the originator, if the 3-way handshake was
missed.  There are a number of cases where we could use local site
knowledge to definitively identify originator & responder.


On Mon, Aug 25, 2014 at 2:40 PM, Vlad Grigorescu <vlad at grigorescu.org>
wrote:

> This ties into something I had noticed recently. Certain scanning tools
> like to use the same source port per destination IP (I imagine to cache
> portions of the TCP header). During these scans, multiple TCP connections
> occur. Bro saw traffic that had:
>
>  - A connection that was setup and torn down as expected (conn_state ==
> "SF")
>  - A few minutes pass
>  - A second connection that was setup and torn down as expected, *except*
> that the first SYN was missed - either by Bro or upstream loss.
>
> Bro considered these the same connection.
>
> Does it makes sense that following a connection teardown, if a SYN-ACK is
> seen, a new connection begins, instead of using the existing connection? I
> can probably grab a PCAP if necessary.
>
>   --Vlad
>
>
> On Mon, Aug 25, 2014 at 4:32 PM, Jon Siwek (JIRA) <
> jira at bro-tracker.atlassian.net> wrote:
>
>>
>>      [
>> https://bro-tracker.atlassian.net/browse/BIT-1236?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
>> ]
>>
>> Jon Siwek updated BIT-1236:
>> ---------------------------
>>     Status: Merge Request  (was: Open)
>>
>> > topic/jsiwek/flip-on-syn-ack
>> > ----------------------------
>> >
>> >                 Key: BIT-1236
>> >                 URL: https://bro-tracker.atlassian.net/browse/BIT-1236
>> >             Project: Bro Issue Tracker
>> >          Issue Type: Improvement
>> >          Components: Bro
>> >    Affects Versions: git/master
>> >            Reporter: Jon Siwek
>> >            Assignee: Robin Sommer
>> >             Fix For: 2.4
>> >
>> >
>> > This branch is in bro and bro-testing-private.
>> > The goal is the same as https://github.com/bro/bro/pull/11, but I have
>> it flip roles at an even earlier point in the code path or else I notice
>> some inconsistencies in things like connection history strings or the
>> connsize analyzer counters (which were probably also issues w/ the old
>> flipping method).
>>
>>
>>
>> --
>> This message was sent by Atlassian JIRA
>> (v6.4-OD-04-006#64001)
>> _______________________________________________
>> bro-dev mailing list
>> bro-dev at bro.org
>> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
>>
>
>
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20140825/d9abe282/attachment-0001.html 


More information about the bro-dev mailing list