On 12/29/20 6:30 AM, Eiji Yanagi via zeek wrote:
Is there any reason for this default code that
reverses the network
direction if "H" or "s" flag seen in the TCP flag ?
This is actually a bit subtle and might be a bug.
"H" means a SYN-ACK from the originator -- not a pure ACK. Zeek
considers the sender of the first packet in a new connection the
originator, but might revise this later if the protocols involved allow
it to understand things better. TCP's header flags usually allow it to
do so. That said, Zeek treats a connection start via SYN-ACK specially
and doesn't immediately flip endpoints, exactly because it might be a
scan. The code you're flagging is in a connection_attempt event, which
only occurs when an originator has sent a SYN or a SYN-ACK and the other
side never responded. Therefore I think the reverse-scan logic in the
snippet you're showing is faulty: Zeek correctly labels the originator
the sender of the SYN-ACK -- it must be the scanner, since the other
side never speaks.
The code you're referring to for "s" is different. I assume you mean the
connection_rejected handler in the same script. "s" means a pure SYN
from the responder. In a connection_rejected handler, one end attempted
the connection, and the other sent a RST. If for whatever reason Zeek
considers the SYN to have come from the responder, that's most likely
incorrect and so you'd indeed want to reverse endpoints.
I'm reading the tea leaves a bit here ... I think Seth originally wrote
this, so he might know better.