[Bro-Dev] Bug in Connection::FlipRoles

McMahon, Kevin J kmcmahon at mitre.org
Tue Mar 4 14:39:37 PST 2014

To whom it may concern,

Sorry if I'm not following the proper procedure; this is my first post on this list (please be gentle and point me in the right direction).

There is a bug in Conn.cc in the Connection::FlipRoles routine:

<	resp_addr = orig_addr;
<	orig_addr = tmp_addr;
>	orig_addr = resp_addr;
>	resp_addr = tmp_addr;

This causes the process of correcting the assignment of client/server roles when the SYN and SYN/ACK packets are out of order.

Making the above change (be careful with that as I typed it in by hand) allowed my system to process quite a few more connections than I was able to otherwise.

However, this change does not address the issue when it occurs in an a connection that is to be captured via expect_connection (e.g., ftp_data).  I did some digging into this aspect of out-of-order handshakes but it is a bit more involved than the main line connection processing.  If anyone has advice on that aspect of this issue I'm all ears.

More information about the bro-dev mailing list