Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-16 21:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

flip connections that begin with SYN-ACKs if subsequent acks or data seen

Browse source
This commit is contained in:
Vern Paxson 2022-06-15 14:01:32 -07:00
parent 35121779f1
commit 847963e94d
3 changed files with 48 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/Conn.h
View file

@ -230,6 +230,9 @@ public:
void AddHistory(char code) { history += code; } void AddHistory(char code) { history += code; }
const std::string& GetHistory() const { return history; }
void ReplaceHistory(std::string new_h) { history = std::move(new_h); }
// Sets the root of the analyzer tree as well as the primary PIA. // Sets the root of the analyzer tree as well as the primary PIA.
void SetSessionAdapter(packet_analysis::IP::SessionAdapter* aa, analyzer::pia::PIA* pia); void SetSessionAdapter(packet_analysis::IP::SessionAdapter* aa, analyzer::pia::PIA* pia);
packet_analysis::IP::SessionAdapter* GetSessionAdapter() { return adapter; } packet_analysis::IP::SessionAdapter* GetSessionAdapter() { return adapter; }

23
src/analyzer/protocol/tcp/TCP_Endpoint.cc
View file

@ -257,6 +257,29 @@ void TCP_Endpoint::SetContentsFile(FilePtr f)
bool TCP_Endpoint::CheckHistory(uint32_t mask, char code) bool TCP_Endpoint::CheckHistory(uint32_t mask, char code)
{ {
auto conn = Conn();
if ( (code == 'A' || code == 'D') && conn->GetHistory() == "H" )
{
// This is a connection that began with a SYN-ACK rather
// than a SYN. Those don't get flipped (unless they have
// the right combination of likely-server ports) because
// they can arise from stealth scans, and for those the
// SYN-ACK sender *is* the originator.
//
// In addition, we're now seeing productive TCP traffic
// (either a pure ack or a data segment). Regardless of
// whether it's coming from the nominal originator or the
// nominal responder, its presence makes it a lot less likely
// that the initial SYN-ACK represented a stealth scan,
// since if those elicit anything, it should be a RST.
//
// Thus, at this stage we go ahead and flip the connection.
// We then fix up the history (which will initially be "H^").
conn->FlipRoles();
conn->ReplaceHistory("^h");
}
if ( ! IsOrig() ) if ( ! IsOrig() )
{ {
mask <<= 16; mask <<= 16;

44
testing/btest/Baseline/core.tcp.truncated-header/out
View file

@ -1,24 +1,24 @@
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63. ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp] XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]