[Bro-Dev] Bug in Connection::FlipRoles

Siwek, Jonathan Luke jsiwek at illinois.edu
Thu Mar 6 15:22:47 PST 2014

On Mar 4, 2014, at 4:39 PM, McMahon, Kevin J <kmcmahon at mitre.org> wrote:

> Sorry if I'm not following the proper procedure; this is my first post on this list (please be gentle and point me in the right direction).

There’s some suggestions on how to contribute at [1].  For straight-forward/complete/small patches it’s probably easiest to fork on github and submit a pull request.  For anything else, creating a ticket at tracker.bro.org w/ a proposed patch attached is helpful so things don’t get lost.  I created a ticket for this at [2] for now if you want to create an account and “watch” it.

[1] http://bro.org/development/contribute.html
[2] https://bro-tracker.atlassian.net/browse/BIT-1148

> There is a bug in Conn.cc in the Connection::FlipRoles routine:
> 725,726c725,726
> <	resp_addr = orig_addr;
> <	orig_addr = tmp_addr;
> ---
>> 	orig_addr = resp_addr;
>> 	resp_addr = tmp_addr;

That does indeed look wrong, thanks.

> However, this change does not address the issue when it occurs in an a connection that is to be captured via expect_connection (e.g., ftp_data).  I did some digging into this aspect of out-of-order handshakes but it is a bit more involved than the main line connection processing.  If anyone has advice on that aspect of this issue I'm all ears.

If I understand right, this is a separate issue from the bad address swapping.  If you’re getting at the scheduled/expected analyzers mechanism doesn’t take in to account this Connection::FlipRoles code path, I think you’re right.

- Jon

More information about the bro-dev mailing list