Would it make sense for us to begin indicating if Bro "flipped" a connection in the conn.log? Occasionally I see stuff that shows up in various places (right now I'm seeing it in weird.log) and might just be a host doing a syn scan with src port 80, but Bro will flip that due to the likely_servers_ports variable. It seems to me like an additional boolean value in conn.log would be helpful to know if a connection was flipped or not.
Right now though this information doesn't seem to be available at the script land anywhere. Am I correct on that?
Would it make sense for us to begin indicating if Bro "flipped" a
connection in the conn.log?
I've have several thoughts on this. First, yes, flipping is an ongoing
source of problems due to errors that sometimes arise. Second, the right
way to solve this is using connection history.
That said, I think right now connection history lacks any indication of
just which host was first seen on a flow. I think that's needed to solve
this the correct way (i.e., using history).
It seems to me like an additional
boolean value in conn.log would be helpful to know if a connection was
flipped or not.
I think the problem with this is knowing whether to view the information
as actionable or not (i.e., you still have to decide whether the flipping
was correct or erroneous). Doing it instead on history lets you make the
full decision yourself in your postprocessing.