So I am seeing some weird stuff in my sample pcap of scanners. May be too
obvious and I am just not seeing why/how of it.
Here is the issue : ( I have time in human format for easier read):
SO I just pick one session from conn.log and this is the connection in
question: (there are many more like this):
$ fgrep CspAa42NoEGEaXK4ci conn.log | cf
Apr 12 05:37:42 CspAa42NoEGEaXK4ci 191.254.157.138 45107 128.3.97.204 23 tcp - - - - S0 F T 0 S 1 40 0 0 -
Now as part of debugging I have dumped network_time for various events which
process this connection:
Apr 12 05:37:42 new_connection CspAa42NoEGEaXK4ci
Apr 12 06:13:48 connection_attempt CspAa42NoEGEaXK4ci
Apr 12 06:13:48 connection_state_remove CspAa42NoEGEaXK4ci
Now my understanding is there are various timers involved upon whose expirations
bro infers events such as connection_attempt, connection_reset etc etc. Timers
such as tcp_attempt_delay, tcp_SYN_timeout, tcp_close_delay amongst others. But
all these timers are generally 5 seconds.
Q. Why would connection_attempt event kick in after 36 minutes and 6 seconds ? (
06:13:48 - 05:37:42 ) ?
I have a pcap to share if anyone is interested and replicate on their end.
Aashish
