Happy New Year, all!
I have a situation where Bro misidentifies the source and destination
of some connections - this occurs during packet loss situations, where
the SYN and SYN/ACK packets are not seen by Bro. Is there a way to
hook into the heuristic for establishing the source/destination of the
connection, so that we can employ local site knowledge of the
connection in order to accurately characterize the connection
(hopefully at the scripting level)? Can I hook into the
connection_established event, and switch source/destination in the
connection record, or are bad things likely to happen as a
consequence?
Thanks in advance,
Jim Mellander
NERSC Cybersecurity
510-486-7204