This ties into something I had noticed recently. Certain scanning tools like to use the same source port per destination IP (I imagine to cache portions of the TCP header). During these scans, multiple TCP connections occur. Bro saw traffic that had:

 - A connection that was setup and torn down as expected (conn_state == "SF")
 - A few minutes pass
 - A second connection that was setup and torn down as expected, *except* that the first SYN was missed - either by Bro or upstream loss.

Bro considered these the same connection.

Does it makes sense that following a connection teardown, if a SYN-ACK is seen, a new connection begins, instead of using the existing connection? I can probably grab a PCAP if necessary.

  --Vlad


On Mon, Aug 25, 2014 at 4:32 PM, Jon Siwek (JIRA) <jira@bro-tracker.atlassian.net> wrote:

     [ https://bro-tracker.atlassian.net/browse/BIT-1236?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jon Siwek updated BIT-1236:
---------------------------
    Status: Merge Request  (was: Open)

> topic/jsiwek/flip-on-syn-ack
> ----------------------------
>
>                 Key: BIT-1236
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1236
>             Project: Bro Issue Tracker
>          Issue Type: Improvement
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Jon Siwek
>            Assignee: Robin Sommer
>             Fix For: 2.4
>
>
> This branch is in bro and bro-testing-private.
> The goal is the same as https://github.com/bro/bro/pull/11, but I have it flip roles at an even earlier point in the code path or else I notice some inconsistencies in things like connection history strings or the connsize analyzer counters (which were probably also issues w/ the old flipping method).



--
This message was sent by Atlassian JIRA
(v6.4-OD-04-006#64001)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev