Merge remote-tracking branch 'origin/topic/vern/history-tweak'

* origin/topic/vern/history-tweak: tie to revised private testing repo flip connections that begin with SYN-ACKs if subsequent acks or data seen
2025-10-02 14:48:21 +00:00 · 2022-06-16 15:57:19 -07:00 · 2022-06-16 15:57:19 -07:00 · e7a7b2923b
commit e7a7b2923b
parent 6c57046404 a94afdec47
6 changed files with 54 additions and 24 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+5.1.0-dev.56 | 2022-06-16 15:57:19 -0700
+
+  * flip connections that begin with SYN-ACKs if subsequent acks or data seen (Vern Paxson, Corelight)
+
 5.1.0-dev.53 | 2022-06-16 14:27:54 -0700

  * Revert "Merge remote-tracking branch 'turrisxyz/Dependabot-GitHub-Actions'" (Tim Wojtulewicz, Corelight)
--- a/2
+++ b/2
@ -1 +1 @@
-5.1.0-dev.53
+5.1.0-dev.56
--- a/src/Conn.h
+++ b/src/Conn.h
@ -230,6 +230,9 @@ public:

 	void AddHistory(char code) { history += code; }

+	const std::string& GetHistory() const { return history; }
+	void ReplaceHistory(std::string new_h) { history = std::move(new_h); }
+
 	// Sets the root of the analyzer tree as well as the primary PIA.
 	void SetSessionAdapter(packet_analysis::IP::SessionAdapter* aa, analyzer::pia::PIA* pia);
 	packet_analysis::IP::SessionAdapter* GetSessionAdapter() { return adapter; }
--- a/src/analyzer/protocol/tcp/TCP_Endpoint.cc
+++ b/src/analyzer/protocol/tcp/TCP_Endpoint.cc
@ -257,6 +257,29 @@ void TCP_Endpoint::SetContentsFile(FilePtr f)

 bool TCP_Endpoint::CheckHistory(uint32_t mask, char code)
 	{
+	auto conn = Conn();
+
+	if ( (code == 'A' || code == 'D') && conn->GetHistory() == "H" )
+		{
+		// This is a connection that began with a SYN-ACK rather
+		// than a SYN.  Those don't get flipped (unless they have
+		// the right combination of likely-server ports) because
+		// they can arise from stealth scans, and for those the
+		// SYN-ACK sender *is* the originator.
+		//
+		// In addition, we're now seeing productive TCP traffic
+		// (either a pure ack or a data segment).  Regardless of
+		// whether it's coming from the nominal originator or the
+		// nominal responder, its presence makes it a lot less likely
+		// that the initial SYN-ACK represented a stealth scan,
+		// since if those elicit anything, it should be a RST.
+		//
+		// Thus, at this stage we go ahead and flip the connection.
+		// We then fix up the history (which will initially be "H^").
+		conn->FlipRoles();
+		conn->ReplaceHistory("^h");
+		}
+
 	if ( ! IsOrig() )
 		{
 		mask <<= 16;
--- a/testing/btest/Baseline/core.tcp.truncated-header/out
+++ b/testing/btest/Baseline/core.tcp.truncated-header/out
@ -1,24 +1,24 @@
 ### BTest baseline data generated by btest-diff. Do not edit. Use "btest -U/-u" to update. Requires BTest >= 0.63.
 XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
-XXXXXXXXXX.XXXXXX, [orig_h=128.3.26.249, orig_p=25/tcp, resp_h=201.186.157.67, resp_p=60827/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
+XXXXXXXXXX.XXXXXX, [orig_h=201.186.157.67, orig_p=60827/tcp, resp_h=128.3.26.249, resp_p=25/tcp]
--- a/testing/external/commit-hash.zeek-testing-private
+++ b/testing/external/commit-hash.zeek-testing-private
@ -1 +1 @@
-76a9ffd27c15ff1603216ee77f59cc9d515747c6
+d8088ba741389aa092b5fb284d0849401234809f