caret and the stick

Zeek
1

I upgraded one of my clusters recently and I noticed that the history column in the conn.log has a caret symbol now. The docs say:

^ = "connection direction was flipped by Bro’s heuristic”

I was wondering what exactly this means. Which part exactly was flipped? And which heuristic is it referring to?

Here is a line from our conn.log showing what I think is backscatter. (Our network is 128.252.0.0/16.)

128.252.X.Y 57756 111.29.2.3 80 tcp - - - - OTH T F 0 ^h 0 0 1 44

So in this example, what was flipped exactly?

Thanks,

-Brian

2

Good question! For background, Bro "flips" connections in there case that it thinks it has orig and resp backwards. You nailed a very common case where this will be true. Since backscatter will frequently have a server port as the src port the "correct" way to view that connection (if it was an actual full connection) would be to "flip" it and swap the orig and resp.

In the case that you outlined, 111.29.2.3 sent a single packet (a syn-ack based on the history field) with src port 80 and dst port 57756 (the likely actual ephemeral port). Since Bro initially had no context, it viewed 111.29.2.3 as the originator since it was the first host that seemed to send a packet. But, 80/tcp is registered as a likely server port and no other analyzers attached to the connection so Bro flipped it so that the likely server port was the resp_p.

   .Seth