From 847963e94deaa9ff299caf0fe85a72984fe07eac Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Wed, 15 Jun 2022 14:01:32 -0700
Subject: [PATCH 1/2] flip connections that begin with SYN-ACKs if subsequent
 acks or data seen

---
 src/Conn.h                                    |  3 ++
 src/analyzer/protocol/tcp/TCP_Endpoint.cc     | 23 ++++++++++
 .../Baseline/core.tcp.truncated-header/out    | 44 +++++++++----------
 3 files changed, 48 insertions(+), 22 deletions(-)

diff --git a/src/Conn.h b/src/Conn.h
index 960df18129..9abfefa331 100644
--- a/src/Conn.h
+++ b/src/Conn.h
@@ -230,6 +230,9 @@ public:
 
 	void AddHistory(char code) { history += code; }
 
+	const std::string& GetHistory() const { return history; }
+	void ReplaceHistory(std::string new_h) { history = std::move(new_h); }
+
 	// Sets the root of the analyzer tree as well as the primary PIA.
 	void SetSessionAdapter(packet_analysis::IP::SessionAdapter* aa, analyzer::pia::PIA* pia);
 	packet_analysis::IP::SessionAdapter* GetSessionAdapter() { return adapter; }
diff --git a/src/analyzer/protocol/tcp/TCP_Endpoint.cc b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
index d0a50d862f..67c40e9d2c 100644
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
@@ -257,6 +257,29 @@ void TCP_Endpoint::SetContentsFile(FilePtr f)
 
 bool TCP_Endpoint::CheckHistory(uint32_t mask, char code)
 	{
+	auto conn = Conn();
+
+	if ( (code == 'A' || code == 'D') && conn->GetHistory() == "H" )
+		{
+		// This is a connection that began with a SYN-ACK rather
+		// than a SYN.  Those don't get flipped (unless they have
+		// the right combination of likely-server ports) because
+		// they can arise from stealth scans, and for those the
+		// SYN-ACK sender *is* the originator.
+		//
+		// In addition, we're now seeing productive TCP traffic
+		// (either a pure ack or a data segment).  Regardless of
+		// whether it's coming from the nominal originator or the
+		// nominal responder, its presence makes it a lot less likely
+		// that the initial SYN-ACK represented a stealth scan,
+		// since if those elicit anything, it should be a RST.
+		//
+		// Thus, at this stage we go ahead and flip the connection.
+		// We then fix up the history (which will initially be "H^").
+		conn->FlipRoles();
+		conn->ReplaceHistory("^h");
+		}
+
 	if ( ! IsOrig() )
 		{
 		mask <<= 16;
diff --git a/testing/btest/Baseline/core.tcp.truncated-header/out b/testing/btest/Baseline/core.tcp.truncated-header/out
index 9e3abe82d0..ed29ac6e7a 100644
--- a/testing/btest/Baseline/core.tcp.truncated-header/out
+++ b/testing/btest/Baseline/core.tcp.truncated-header/out
@@ -1,24 +1,24 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]

From a94afdec473bc4eb03f876195f37f7a5bdca96fe Mon Sep 17 00:00:00 2001
From: Vern Paxson <vern@corelight.com>
Date: Thu, 16 Jun 2022 14:33:11 -0700
Subject: [PATCH 2/2] tie to revised private testing repo

---
 testing/external/commit-hash.zeek-testing-private | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/testing/external/commit-hash.zeek-testing-private b/testing/external/commit-hash.zeek-testing-private
index 569fc23187..db3b63b2c7 100644
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@@ -1 +1 @@
-76a9ffd27c15ff1603216ee77f59cc9d515747c6
+d8088ba741389aa092b5fb284d0849401234809f