Hi Guys, I am trying to detect when a remote location attempts to connect to a device and the TCP 3-way handshake has completed. In this case I am looking for the remote to initiate the connection, not the local machine.
I have configured using the following snippet
event connection_established(c: connection)
if ((c$id$resp_h in interesting_hosts1)||(c$id$resp_h in interesting_hosts2)||(c$id$resp_h in interesting_hosts3))
and it seems to work when the 3-way connection is completed,
But for the following case it gives a false positive and I am not sure why. Pretty new to using bro but was hoping someone might have an idea ?
The remote sends a “syn” to the local host and it reply’s back with a [RST,ACK](this is supposed to reply with this) and the event is matched. As you can see in the connection log you do not see any indication of a normal 3-way handshake has occurred I have attached a anonymolized packet capture and the full config
1437160813.520265 CIqWv01Vb9vHN2vWo2 85.229.5.218 50664 110.162.75.227 445 tcp - 0.015001 0 0 RSTR F T 0 Shr 1 76 2 88 (empty)
1437160814.132934 CVbOXi5l0Vm42iSa5 85.229.5.218 50664 110.162.75.227 445 tcp - 0.014947 0 0 RSTR F T 0 Shr 1 76 2 88 (empty)
1437160820.133261 CU5LPc2t6UbgTgX43i 85.229.5.218 50664 110.162.75.227 445 tcp - 0.024566 0 0 RSTR F T 0 Shr 1 76 2 88 (empty)
Thanks,
Robert
config.txt (2.39 KB)
port 445_anon.pcapng (812 Bytes)