length: 40) 211.91.135.39.80 > x.x.x.x.52510: S [tcp sum ok]
...
1095628174.157850 WeirdActivity
bad_TCP_header_len x.x.x.x/52510 > 211.91.135.39/80
...
and why bro use bad tcp port ?
Now I understand the question. The original packet was a SYN ACK from
211.91.135.39/80 to x.x.x.x/52510, but Bro reports it in the opposite
order.
The reason for this (which I agree is not intuitive) is that because the
packet was a SYN ACK, Bro instantiates a corresponding connection in the
opposite direction (because presumably x.x.x.x sent an initial SYN using
source port 52510). Bro's current "weird" framework (which needs to be
reworked) always identifies the connection rather than the culprit, so if
the sender of something strange was the apparent server side, it comes out
looking instead like it came from the apparent client side.
Vern