mirror of
https://github.com/zeek/zeek.git
synced 2025-10-17 05:58:20 +00:00
flip connections that begin with SYN-ACKs if subsequent acks or data seen
This commit is contained in:
Vern Paxson
parent
35121779f1
commit
847963e94d
3 changed files with 48 additions and 22 deletions
|
|
@ -230,6 +230,9 @@ public:
|
|||
|
||||
void AddHistory(char code) { history += code; }
|
||||
|
||||
const std::string& GetHistory() const { return history; }
|
||||
void ReplaceHistory(std::string new_h) { history = std::move(new_h); }
|
||||
|
||||
// Sets the root of the analyzer tree as well as the primary PIA.
|
||||
void SetSessionAdapter(packet_analysis::IP::SessionAdapter* aa, analyzer::pia::PIA* pia);
|
||||
packet_analysis::IP::SessionAdapter* GetSessionAdapter() { return adapter; }
|
||||
|
|
|
|||
|
|
@ -257,6 +257,29 @@ void TCP_Endpoint::SetContentsFile(FilePtr f)
|
|||
|
||||
bool TCP_Endpoint::CheckHistory(uint32_t mask, char code)
|
||||
{
|
||||
auto conn = Conn();
|
||||
|
||||
if ( (code == 'A' || code == 'D') && conn->GetHistory() == "H" )
|
||||
{
|
||||
// This is a connection that began with a SYN-ACK rather
|
||||
// than a SYN. Those don't get flipped (unless they have
|
||||
// the right combination of likely-server ports) because
|
||||
// they can arise from stealth scans, and for those the
|
||||
// SYN-ACK sender *is* the originator.
|
||||
//
|
||||
// In addition, we're now seeing productive TCP traffic
|
||||
// (either a pure ack or a data segment). Regardless of
|
||||
// whether it's coming from the nominal originator or the
|
||||
// nominal responder, its presence makes it a lot less likely
|
||||
// that the initial SYN-ACK represented a stealth scan,
|
||||
// since if those elicit anything, it should be a RST.
|
||||
//
|
||||
// Thus, at this stage we go ahead and flip the connection.
|
||||
// We then fix up the history (which will initially be "H^").
|
||||
conn->FlipRoles();
|
||||
conn->ReplaceHistory("^h");
|
||||
}
|
||||
|
||||
if ( ! IsOrig() )
|
||||
{
|
||||
mask <<= 16;
|
||||
|
|
|
|||
|
|
@ -1,24 +1,24 @@
|
|||
### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue