originator/responder possibly swapped

Is it possible for bro to swap the originator and responder IP addresses in its logs.

Below you will see the only conn.log I have for a IP address. The originator is the external host and responder is the internal IP of my org. Then every other log I have ssh and notice where this IP shows up the originator is my internal host and the responder is the external IP.

conn.15: 00: 00-16: 00: 00.log.gz: {
“ts”: 1469114110842,
“uid”: “ClvNzi2EnWQnmykMZ7”,
“id.orig_h”: “EXTERNAL IP”,
“id.orig_p”: 15000,
“id.resp_h”: “INTERNAL HOST”,
“id.resp_p”: 1043,
“proto”: “tcp”,
“duration”: 0.658319,
“orig_bytes”: 416,
“resp_bytes”: 976,
“conn_state”: “SF”,
“local_orig”: false,
“local_resp”: true,
“missed_bytes”: 0,
“history”: “DadAfF”,
“orig_pkts”: 12,
“orig_ip_bytes”: 1040,
“resp_pkts”: 10,
“resp_ip_bytes”: 1496,
“tunnel_parents”: [],
“orig_cc”: “US”,
“sensorname”: “SENSOR-1”
}notice.15: 00: 00-16: 00: 00.log.gz: {
“ts”: 1469113976350,
“uid”: “CseS0Q2AQ0biwoE97g”,
“id.orig_h”: “INTERNAL HOST”,
“id.orig_p”: 1024,
“id.resp_h”: “EXTERNAL IP”,
“id.resp_p”: 15000,
“proto”: “tcp”,
“note”: “SSH::Interesting_Hostname_Login”,
“msg”: “Possible SSH login involving a remote server with an interesting hostname.”,
“sub”: “EXTERNAL DOMAIL”,
“src”: “10.21.4.124”,
“dst”: “EXTERNAL IP”,
“p”: 15000,
“peer_descr”: “SENSOR-1”,
“actions”: [“Notice::ACTION_EMAIL”,
“Notice::ACTION_LOG”],
“suppress_for”: 3600.0,
“dropped”: false
}ssh.15: 00: 00-16: 00: 00.log.gz: {
“ts”: 1469116787409,
“uid”: “CWQdeiL75K07BRtb4”,
“id.orig_h”: “INTERNAL HOST”,
“id.orig_p”: 1427,
“id.resp_h”: “EXTERNAL IP”,
“id.resp_p”: 15000,
“version”: 2,
“auth_success”: true,
“direction”: “OUTBOUND”,
“client”: “SSH-2.0-OpenSSH_3.1p1”,
“server”: “SSH-2.0-OpenSSH_6.0p1 Debian-4+deb7u2”,
“cipher_alg”: “aes128-cbc”,
“mac_alg”: “hmac-md5”,
“compression_alg”: “none”,
“kex_alg”: “diffie-hellman-group-exchange-sha1”,
“host_key_alg”: “ssh-rsa”,
“host_key”: “REMOVED”,
“remote_location.country_code”: “US”
}

Thoughts as to why? Also, I know I saw this come up before but it has been burried, does auth_success:true indicate that ssh authentication was successful

It could be that Bro missed the first packet in the exchange. The originator will be whoever it sees first, afaik.