[Bro] Connection History: "connection direction was flipped by Bro’s heuristic"
Dave Crawford
bro at pingtrip.com
Fri Apr 21 16:35:18 PDT 2017
What does the caret ("connection direction was flipped by Bro’s heuristic”) in a connections history mean? If the packet in question was spoofed (like the receiving end of a DNS amplification attack) would that trigger Bro’s heuristics?
Below are entries from dns, conn and weird logs for the same event for which I can’t find any indications that it sourced from my network. Additionally, there are no subsequent connection attempts to the IP contained the response packet.
Dns.log
1491285594.163321 CFXfdl4zMQrM2T15Wa <REDACTED> 57555 194.9.69.193 53 udp 21705 - wfuvsrsrwb.www.91duofenxiang[.]com - - - - 0 NOERROR F F F T 0 193.58.251[.]1 60.000000 F
Conn.log
1491285594.163321 CFXfdl4zMQrM2T15Wa <REDACTED> 57555 194.9.69.193 53 udp dns - - - SHR T ^d 0 0 1 94 (empty) PDC_NSM-4 US RU
Weird.log
1491285604.163437 CFXfdl4zMQrM2T15Wa <REDACTED> 57555 194.9.69.193 53 dns_unmatched_msg - F PDC_NSM-4
Thanks,
-Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20170421/74fdbc24/attachment.html
More information about the Bro
mailing list