Bro always crashes
vern at ee.lbl.gov
Fri May 7 01:33:42 PDT 1999
> without seeing a SYN-ack from B.80 in between. This then leads to
> Bro holding state for the half-established connection after it sees
> A.1234 -> B.80.
I should add that I diagnosed this because the connection summaries
Bro generated on stdout looked like:
925897359.600000 0.26 http ? 1775 18.104.22.168 22.214.171.124 SHR X
"SHR" indicates a half-stablished connection that was closed by the
responder. (It's the responder in this case because the only packets
Bro saw were the SYN-ack [rather than the SYN] and the FIN.)
This is a highly unusual state for normal traffic, i.e. when Bro sees
both sides of the connections.
More information about the Bro