Merge pull request #1127 from stratosphereips/alya/fix_multiple_recon…

…nection_attempts

Fix problem setting multiple reconnection attempts evidence

dataset/test14-malicious-zeek-dir/conn.log

@@ -0,0 +1,5 @@
+{"ts":79.681977,"uid":"Cw6JBU12nYsbZElIpa","id.orig_h":"10.0.2.15","id.orig_p":546,"id.resp_h":"123.22.123.22","id.resp_p":547,"proto":"tcp","duration":63.02690299999995,"orig_bytes":588,"resp_bytes":0,"conn_state":"REJ","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"D","orig_pkts":7,"orig_ip_bytes":924,"resp_pkts":0,"resp_ip_bytes":0,"orig_l2_addr":"08:00:27:ef:ee:34","resp_l2_addr":"33:33:00:01:00:02"}
+{"ts":79.681977,"uid":"Cw6JBU12nYsbZElIpa","id.orig_h":"10.0.2.15","id.orig_p":546,"id.resp_h":"123.22.123.22","id.resp_p":547,"proto":"tcp","duration":63.02690299999995,"orig_bytes":588,"resp_bytes":0,"conn_state":"REJ","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"D","orig_pkts":7,"orig_ip_bytes":924,"resp_pkts":0,"resp_ip_bytes":0,"orig_l2_addr":"08:00:27:ef:ee:34","resp_l2_addr":"33:33:00:01:00:02"}
+{"ts":79.681977,"uid":"Cw6JBU12nYsbZElIpa","id.orig_h":"10.0.2.15","id.orig_p":546,"id.resp_h":"123.22.123.22","id.resp_p":547,"proto":"tcp","duration":63.02690299999995,"orig_bytes":588,"resp_bytes":0,"conn_state":"REJ","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"D","orig_pkts":7,"orig_ip_bytes":924,"resp_pkts":0,"resp_ip_bytes":0,"orig_l2_addr":"08:00:27:ef:ee:34","resp_l2_addr":"33:33:00:01:00:02"}
+{"ts":79.681977,"uid":"Cw6JBU12nYsbZElIpa","id.orig_h":"10.0.2.15","id.orig_p":546,"id.resp_h":"123.22.123.22","id.resp_p":547,"proto":"tcp","duration":63.02690299999995,"orig_bytes":588,"resp_bytes":0,"conn_state":"REJ","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"D","orig_pkts":7,"orig_ip_bytes":924,"resp_pkts":0,"resp_ip_bytes":0,"orig_l2_addr":"08:00:27:ef:ee:34","resp_l2_addr":"33:33:00:01:00:02"}
+{"ts":79.681977,"uid":"Cw6JBU12nYsbZElIpa","id.orig_h":"10.0.2.15","id.orig_p":546,"id.resp_h":"123.22.123.22","id.resp_p":547,"proto":"tcp","duration":63.02690299999995,"orig_bytes":588,"resp_bytes":0,"conn_state":"REJ","local_orig":false,"local_resp":false,"missed_bytes":0,"history":"D","orig_pkts":7,"orig_ip_bytes":924,"resp_pkts":0,"resp_ip_bytes":0,"orig_l2_addr":"08:00:27:ef:ee:34","resp_l2_addr":"33:33:00:01:00:02"}

modules/flowalerts/conn.py

@@ -267,19 +267,19 @@ def check_multiple_reconnection_attempts(self, profileid, twid, flow):
             reconnections, uids = current_reconnections[key]
             reconnections += 1
             uids.append(flow.uid)
-            current_reconnections[key] = (reconnections, uids)
         except KeyError:
-            current_reconnections[key] = (1, [flow.uid])
+            uids = [flow.uid]
             reconnections = 1
 
+        current_reconnections[key] = (reconnections, uids)
         if reconnections < self.multiple_reconnection_attempts_threshold:
             self.db.set_reconnections(profileid, twid, current_reconnections)
             return
 
         self.set_evidence.multiple_reconnection_attempts(
-            twid, flow, reconnections
+            twid, flow, reconnections, uids
         )
-        # reset the reconnection attempts of this src->dst
+        # reset the reconnection counter of this src->dst
         current_reconnections[key] = (0, [])
 
         self.db.set_reconnections(profileid, twid, current_reconnections)

tests/integration_tests/test_zeek_dataset.py

@@ -46,6 +46,7 @@
                 "Suspicious user-agent:",
                 "Download of an executable",
                 "GRE tunnel",
+                "Multiple reconnection attempts to Destination IP: 123.22.123.22 from IP: 10.0.2.15",
             ],
             "test14-malicious-zeek-dir/",
             6670,