jmellander at lbl.gov
Fri Dec 1 16:27:08 PST 2006
Could someone explain what tcp_attempt_delay is used for? It seems that
it may be relevant to a script problem that I am experiencing, where a
'new_connection' event is occurring 5 seconds after the packet is
received (an unanswered SYN), 5 seconds being also the default value of
tcp_attempt_delay - so I am drawing a (possibly unwarranted) connection
between the value of tcp_attempt_delay and the time delay I am experiencing.
Is there perhaps a different event that I should be looking at, or can
this value be turned to zero without negative effect? - I need to
respond immediately to an incoming packet.
The application is a custom 'catch-and release' blocking script. We
block a host when it scans, then unblock after an interval of
quiescence, to preserve a working set of currently threatening hosts.
When a host that was unblocked as much as sends a single packet, we want
to immediately reblock. This, of course, requires immediate response -
waiting for a 5 second interval is unacceptable.
On an older version of Bro, the new_connection event was triggered
immediately on receipt of the first packet, and the 'catch-and-release'
mechanism worked correctly, now we seem to have this 5 second delay.
Thanks in advance.
Incident Response Manager
Computer Protection Program
Lawrence Berkeley National Laboratory
The reason you are having computer problems is:
The Internet is being scanned for viruses.
More information about the Bro