[Bro] RST handling
adayadil.thomas at gmail.com
Sun Aug 12 19:45:09 PDT 2007
I have a general TCP RST handling question.
Assuming the state of a connection is established, and data has been
transferred to and fro
and then the server sends a RST packet (or two)  to the client and
the session ends soon after.
>From an IDS/IPS standpoint,
- should the session be transitioned to closed upon seeing the first RST ?
- if not, is the session marked as SEEN_RST or something and timed out ?
>From an IPS point of view (which does not allow stateless traffic)
knowing when to remove the connection is critical. is'nt it ?
I would like to know from bro standpoint and in general.
Thanks a lot for any information/viewpoint.
 Why does the server send two RST as in the example below --
15:47:05.990438 192.168.0.1.8080 > 192.168.1.1.46615: R 1:1(0) ack
10500305 win 32768 <nop,nop,timestamp 44983385 1113850335> (DF)
15:47:05.990499 192.168.0.1.8080 > 192.168.1.1.46615: R
4223569903:4223569903(0) win 0 (DF)
More information about the Bro