[Bro] tcp_attempt_delay

Jim Mellander jmellander at lbl.gov
Fri Dec 1 16:27:08 PST 2006

Could someone explain what tcp_attempt_delay is used for?  It seems that
it may be relevant to a script problem that I am experiencing, where a
'new_connection' event is occurring 5 seconds after the packet is
received (an unanswered SYN), 5 seconds being also the default value of
tcp_attempt_delay - so I am drawing a (possibly unwarranted) connection
between the value of tcp_attempt_delay and the time delay I am experiencing.

Is there perhaps a different event that I should be looking at, or can
this value be turned to zero without negative effect? - I need to
respond immediately to an incoming packet.

The application is a custom 'catch-and release' blocking script.  We
block a host when it scans, then unblock after an interval of
quiescence, to preserve a working set of currently threatening hosts.
When a host that was unblocked as much as sends a single packet, we want
to immediately reblock.  This, of course, requires immediate response -
waiting for a 5 second interval is unacceptable.

On an older version of Bro, the new_connection event was triggered
immediately on receipt of the first packet, and the 'catch-and-release'
mechanism worked correctly, now we seem to have this 5 second delay.

Thanks in advance.

Jim Mellander
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
(510) 486-7204

The reason you are having computer problems is:

The Internet is being scanned for viruses.

More information about the Bro mailing list