[Bro-Dev] Bug in Connection::FlipRoles
Siwek, Jonathan Luke
jsiwek at illinois.edu
Thu Mar 6 15:22:47 PST 2014
On Mar 4, 2014, at 4:39 PM, McMahon, Kevin J <kmcmahon at mitre.org> wrote:
> Sorry if I'm not following the proper procedure; this is my first post on this list (please be gentle and point me in the right direction).
There’s some suggestions on how to contribute at [1]. For straight-forward/complete/small patches it’s probably easiest to fork on github and submit a pull request. For anything else, creating a ticket at tracker.bro.org w/ a proposed patch attached is helpful so things don’t get lost. I created a ticket for this at [2] for now if you want to create an account and “watch” it.
[1] http://bro.org/development/contribute.html
[2] https://bro-tracker.atlassian.net/browse/BIT-1148
> There is a bug in Conn.cc in the Connection::FlipRoles routine:
>
> 725,726c725,726
> < resp_addr = orig_addr;
> < orig_addr = tmp_addr;
> ---
>> orig_addr = resp_addr;
>> resp_addr = tmp_addr;
That does indeed look wrong, thanks.
> However, this change does not address the issue when it occurs in an a connection that is to be captured via expect_connection (e.g., ftp_data). I did some digging into this aspect of out-of-order handshakes but it is a bit more involved than the main line connection processing. If anyone has advice on that aspect of this issue I'm all ears.
If I understand right, this is a separate issue from the bad address swapping. If you’re getting at the scheduled/expected analyzers mechanism doesn’t take in to account this Connection::FlipRoles code path, I think you’re right.
- Jon
More information about the bro-dev
mailing list