[Bro] source ip and destination ip have been swaped in bro logs

Seth Hall seth at corelight.com
Fri Oct 6 06:25:50 PDT 2017



On 6 Oct 2017, at 7:27, Ul Asad, Hafiz wrote:

> I have noticed in my bor notices.log, that a for a connection, the 
> source_ip and destination_ip, as well as the corresponding ports, have 
> been swaped. Is there any explaination for it somewhere and how to 
> find that for which connection bro does this?

Bro will try to get the relationship between who "originated" and 
"responded" to the connection correct.  Let's imagine the case that the 
initial syn packet for an http connection was dropped so the first 
packet that Bro saw was source port 80 and the dest port will be some 
arbitrary high number.  Bro will look at the connection and make a guess 
that it may be looking at the connection backwards and flip it.  The 
fact that the flip happened is also indicated in the "history" field in 
the conn log with the caret "^".

There are a lot of other scenarios that could lead to the same behavior 
too.  If you'd like to go further into the particular case you're 
encountering, you could send a conn log entry that looks problematic to 
the list (with IP addresses hidden) and we may be able to diagnose the 
particular problem you're seeing.

   .Seth

--
Seth Hall * Corelight, Inc * www.corelight.com


More information about the Bro mailing list