[Bro-Dev] Bug in Connection::FlipRoles
McMahon, Kevin J
kmcmahon at mitre.org
Tue Mar 4 14:39:37 PST 2014
To whom it may concern,
Sorry if I'm not following the proper procedure; this is my first post on this list (please be gentle and point me in the right direction).
There is a bug in Conn.cc in the Connection::FlipRoles routine:
< resp_addr = orig_addr;
< orig_addr = tmp_addr;
> orig_addr = resp_addr;
> resp_addr = tmp_addr;
This causes the process of correcting the assignment of client/server roles when the SYN and SYN/ACK packets are out of order.
Making the above change (be careful with that as I typed it in by hand) allowed my system to process quite a few more connections than I was able to otherwise.
However, this change does not address the issue when it occurs in an a connection that is to be captured via expect_connection (e.g., ftp_data). I did some digging into this aspect of out-of-order handshakes but it is a bit more involved than the main line connection processing. If anyone has advice on that aspect of this issue I'm all ears.
More information about the bro-dev