Hooking into source/destination heuristic

Happy New Year, all!

I have a situation where Bro misidentifies the source and destination
of some connections - this occurs during packet loss situations, where
the SYN and SYN/ACK packets are not seen by Bro. Is there a way to
hook into the heuristic for establishing the source/destination of the
connection, so that we can employ local site knowledge of the
connection in order to accurately characterize the connection
(hopefully at the scripting level)? Can I hook into the
connection_established event, and switch source/destination in the
connection record, or are bad things likely to happen as a

Thanks in advance,

Jim Mellander
NERSC Cybersecurity

I don't think there is a way to do it as dynamically as you want. It would be a very easy BiF to write though. Please file a ticket and we'll see about working it in for the 2.1 release.