This ties into something I had noticed recently. Certain scanning tools like to use the same source port per destination IP (I imagine to cache portions of the TCP header). During these scans, multiple TCP connections occur. Bro saw traffic that had:
- A connection that was setup and torn down as expected (conn_state == “SF”)
- A few minutes pass
- A second connection that was setup and torn down as expected, except that the first SYN was missed - either by Bro or upstream loss.
Bro considered these the same connection.
Does it makes sense that following a connection teardown, if a SYN-ACK is seen, a new connection begins, instead of using the existing connection? I can probably grab a PCAP if necessary.
–Vlad
Actually, I’m thinking it may already work like you expect in many “normal” situations. One special case I can remember (there may be others) is that Bro may defer closing out a connection even if it sees the teardown control packets when it thinks it may be possible to fill in a content gap (i.e. it thinks there’s packets coming in out of order, but maybe in your case it’s just never seen at all). If that doesn’t fit with what you saw and you’ve got a pcap you can send me, I can try to make sense of it.
- Jon
It would be nice to have an optional hook to the script-level, which could signal Bro as to which side is the originator, if the 3-way handshake was missed. There are a number of cases where we could use local site knowledge to definitively identify originator & responder.
Thanks, Jon.
Here’s a PCAP with an example. I’ve anonymized the IPs, so it can be shared publicly/used as a test if desired.
It does look like the first connection wasn’t torn down in a completely normal way - if I run just that connection through Bro, conn_state is S3, and there are some missed bytes.
Unfortunately, this is a pretty common occurrence when we’re being scanned - traffic spikes, causing Bro to miss more bytes, leading to more of these incorrect connections.
The specific issue is that the jump in seq numbers between the first and second connection cause Bro to think that a lot of traffic was simply missed. This leads to false positives with the SSH heuristic, since now the byte total is over the threshold.
Digging into this, I realize it wasn’t as closely related to this ticket as I thought, so let me know if I should file a new ticket for this.
–Vlad
bug_ssh_8_1_14_anon.pcap (7.16 KB)
The specific issue is that the jump in seq numbers between the first and second connection cause Bro to think that a lot of traffic was simply missed. This leads to false positives with the SSH heuristic, since now the byte total is over the threshold.
As a workaround you may be able to filter out such cases by checking whether connection records report missing data and a history string with more than one handshake?
Digging into this, I realize it wasn't as closely related to this ticket as I thought, so let me know if I should file a new ticket for this.
Yeah, make a ticket.
- Jon