[Bro] RST handling

Adayadil Thomas adayadil.thomas at gmail.com
Sun Aug 12 19:45:09 PDT 2007


I have a general TCP RST handling question.

Assuming the state of a connection is established, and data has been
transferred to and fro
and then the server sends a RST packet (or two) [1] to the client and
the session ends soon after.

>From an IDS/IPS standpoint,
- should the session be transitioned to closed upon seeing the first RST ?
- if not, is the session marked as SEEN_RST or something and timed out ?

>From an IPS point of view (which does not allow stateless traffic)
knowing when to remove the connection is critical. is'nt it ?

I would like to know from bro standpoint and in general.

Thanks a lot for any information/viewpoint.


[1] Why does the server send two RST as in the example below --

15:47:05.990438 > R 1:1(0) ack
10500305 win 32768 <nop,nop,timestamp 44983385 1113850335> (DF)
15:47:05.990499 > R
4223569903:4223569903(0) win 0 (DF)

More information about the Bro mailing list