[prev in list] [next in list] [prev in thread] [next in thread]
List: bro
Subject: Re: [Bro] Bro conn log history questions
From: Jon Siwek <jsiwek () corelight ! com>
Date: 2018-06-08 15:58:06
Message-ID: CAMzgZ0Lmic4f4oM_bU5TmZqgooQG_qexhaa+PaP+w4zJuoj8hQ () mail ! gmail ! com
[Download RAW message or body]
On Fri, Jun 1, 2018 at 3:05 PM Chris Herdt <cherdt@umn.edu> wrote:
>
> Sometimes I see multiple R flags in the conn.log history field. Example (field \
> order alphabetized due to attempts to prettify JSON): I'm not certain how to \
> interpret this. I assume that means Bro detected multiple RST packets from the \
> originator, but that also contradicts the documentation
Seems like a case of the docs being wrong/outdated. I've changed it:
## If the event comes from the originator, the letter is in
## upper-case; if it comes from the responder, it's in
## lower-case. The 'a', 'c', 'd', 'i', 'q', and 't' flags are
## recorded a maximum of one time in either direction regardless
## of how many are actually seen. However, 'f', 'h', 'r', or
## 's' may be recorded multiple times for either direction and
## only compressed when sharing a sequence number with the
## last-seen packet of the same flag type.
So yeah, I'd interpret multiple 'R' in the history field as "saw at
least that many RST packets from originator that did not share the
same sequence number as the last RST".
> Additionally, I sometimes see an H flag in the conn.log. I would only expect to see \
> a SYN-ACK from the responder, so I'm wondering why Bro's heuristics didn't flip the \
> connection.
Last I recall, it won't flip roles on upon just first witnessing a
SYN-ACK. Some thoughts/history related to that at [1].
So, just glancing at the TCP code seems like the it may record the
history before deciding to flip the roles in at least one situation:
if it first sees a SYN-ACK, it could record 'H", but then later see a
SYN from the peer and decide to flip the roles at that point.
- Jon
[1] https://bro-tracker.atlassian.net/browse/BIT-1236
_______________________________________________
Bro mailing list
bro@bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic