[Bro] source ip and destination ip have been swaped in bro logs

Ul Asad, Hafiz Hafiz.Ul-Asad.1 at city.ac.uk
Fri Oct 6 07:08:59 PDT 2017


Thanks for this, this is really useful.

Asad

Get Outlook for Android<https://aka.ms/ghei36>


________________________________
From: Seth Hall <seth at corelight.com>
Sent: Friday, October 6, 2017 2:25:50 PM
To: Ul Asad, Hafiz
Cc: bro at bro.org
Subject: Re: [Bro] source ip and destination ip have been swaped in bro logs



On 6 Oct 2017, at 7:27, Ul Asad, Hafiz wrote:

> I have noticed in my bor notices.log, that a for a connection, the
> source_ip and destination_ip, as well as the corresponding ports, have
> been swaped. Is there any explaination for it somewhere and how to
> find that for which connection bro does this?

Bro will try to get the relationship between who "originated" and
"responded" to the connection correct.  Let's imagine the case that the
initial syn packet for an http connection was dropped so the first
packet that Bro saw was source port 80 and the dest port will be some
arbitrary high number.  Bro will look at the connection and make a guess
that it may be looking at the connection backwards and flip it.  The
fact that the flip happened is also indicated in the "history" field in
the conn log with the caret "^".

There are a lot of other scenarios that could lead to the same behavior
too.  If you'd like to go further into the particular case you're
encountering, you could send a conn log entry that looks problematic to
the list (with IP addresses hidden) and we may be able to diagnose the
particular problem you're seeing.

   .Seth

--
Seth Hall * Corelight, Inc * www.corelight.com<http://www.corelight.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20171006/97596b02/attachment-0001.html 


More information about the Bro mailing list