[Bro] Event for syn-ack packet

Siwek, Jonathan Luke jsiwek at illinois.edu
Wed May 23 09:37:32 PDT 2012


> 
> I want to identify hosts within our monitored network that reply to certain external IP addresses. The reply could be as short as a syn-ack. The event connection_established is too late as it doesn't matter whether the connection was established. All that matters is whether any of our hosts replied to the external IP even if that means a single syn-ack packet. Do we have an event that could be used to capture this information?

I think the main ways to get that information would be to inspect a connection record's "resp$state" or "history" fields to determine if a reply was made, and I'd say within a handler for "connection_state_remove" is a good place to do that if timing isn't critical.  A non-zero value of "resp$state" (not TCP_INACTIVE or not UDP_INACTIVE) or any lower-case letter in "history" would mean there was a reply.

Part of the default set of scripts that get loaded, base/protocols/conn/main.bro, already does some interpretation of endpoint states (at the time of handling "connection_state_remove") and puts that in the "Conn::Info::conn_sate" field.  Along with that, it also picks up the connection records "history" field and will log both.  There's more description of the meaning of those fields in that script's comments or online at: http://www.bro-ids.org/documentation/scripts/base/protocols/conn/main.html

So a simple example you can try (relying on that default "conn" scripts):

@load base/protocols/conn

global bad_stuff: set[addr] = { 1.2.3.4, 5.6.7.8 }

event Conn::log_conn(rec: Conn::Info)
    {
    if ( rec$id$orig_h in bad_stuff && /[a-z]/ in rec$history )
        {
        # do something like raise a notice that will generate email, etc.
        }
    }



More information about the Bro mailing list