[Bro] Artificial SYN-Packets?
vern at icir.org
Tue Jun 9 04:42:08 PDT 2009
Okay, I analyzed this, and the answer is that the connection compressor
can't generate new_packet events for some packets because new_packet
requires an associated connection (first parameter to the event handler),
and the point of the compressor is to not initially create connections.
It can't really fake up a new_packet event in this context once it does
create the connection, because it has (deliberately) lost the interesting
Your script should work as expected if you run it with
use_connection_compressor=F. Perhaps the presence of a new_packet
event handler should turn off the compressor automatically; or
perhaps we should change new_packet to not have an associated
connection (though I imagine that would often prove inconvenient).
More information about the Bro