[Bro-Dev] Port flipping

Martina Balintova balint.martina at gmail.com
Fri May 22 04:47:11 PDT 2015

Hi Robin,

I have a problem where a connection missing its SYN is not flipped
correctly, because the client happened to choose a port that Bro thinks is
a server port (IRC, 6666). What is confusing me is the special case in
NetSessions::WantConnection() that prevents the flip. Your comments are
about avoiding being confused by stealth scans, but I think that the flip
will happen in every case except when the client is unlucky enough to use a
“server” port number. Given that is most of the time, why have the special
case at all?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20150522/4c187c96/attachment.html 

More information about the bro-dev mailing list