Hooking into source/destination heuristic

Jim_Mellander · January 3, 2012, 5:09pm

Happy New Year, all!

I have a situation where Bro misidentifies the source and destination
of some connections - this occurs during packet loss situations, where
the SYN and SYN/ACK packets are not seen by Bro. Is there a way to
hook into the heuristic for establishing the source/destination of the
connection, so that we can employ local site knowledge of the
connection in order to accurately characterize the connection
(hopefully at the scripting level)? Can I hook into the
connection_established event, and switch source/destination in the
connection record, or are bad things likely to happen as a
consequence?

Thanks in advance,

Jim Mellander
NERSC Cybersecurity
510-486-7204

Seth_Hall3 · January 3, 2012, 6:47pm

I don't think there is a way to do it as dynamically as you want. It would be a very easy BiF to write though. Please file a ticket and we'll see about working it in for the 2.1 release.

.Seth

Topic		Replies	Views
source ip and destination ip have been swaped in bro logs Zeek	3	73	May 6, 2022
[JIRA] (BIT-1236) topic/jsiwek/flip-on-syn-ack Development development	5	63	May 6, 2022
Connection History: "connection direction was flipped by Bro’s heuristic" Zeek	2	74	May 6, 2022
udp_reply event instead of supposed udp_request event Zeek	3	53	May 6, 2022
Problem identifying originator in Kerberos connections Zeek	2	57	May 6, 2022

Hooking into source/destination heuristic

Related Topics