This would somehow make a connection going on to say, Google, appearing in the Zeek logs as an attack.
The flow was flipped by Zeek's heuristic, which we trust is as good as it can get. However, maybe some additional checks can be done to process these type of flows differently to achieve higher accuracy.
One of the suspected sources of possible FP is how AIP may be treating the flipped zeek flows. See, for example https://community.zeek.org/t/caret-and-the-stick/5012.
This would somehow make a connection going on to say, Google, appearing in the Zeek logs as an attack.
The flow was flipped by Zeek's heuristic, which we trust is as good as it can get. However, maybe some additional checks can be done to process these type of flows differently to achieve higher accuracy.