I have been seeing A LOT of SYN/ACK attacks lately on my net and it seems that every time Bro is switching the orig and resp IP’s. Luckily the history column has helped me determine which IP is the true src.
Also, I have SiLK running on my bro sensors and the netflow traffic I get from SiLK is identifying the true src and resp IP addresses but Bro seems to switch the IP addresses. Is this because Bro thinks it missed the SYN packet so it switches the IP’s? Should it be doing this?
Bro has a few heuristics when to flip the endpoints. The main one is
that when it misses the initial SYN but the SYN/ACK is coming *from* a
well-known server port, it assumes it's seeing a responder-side
packet. This table determines what Bro considers a server port:
To help spot cases where the direction got slipped, master recently
got a feature that now adds a '^' flag to the connection history in
Since originator/responder depends on the protocol logic, another
solution would be to log the source address of the first packet of the
connection. I've just written a small script
should achieve this. As it uses the new bif
"get_current_packet_header()", the script only works with master (see