[Bro] Event for syn-ack packet

Sheharbano Khattak sheharbano.k at gmail.com
Wed May 23 03:05:43 PDT 2012


I want to identify hosts within our monitored network that reply to certain
external IP addresses. The reply could be as short as a syn-ack. The event
connection_established is too late as it doesn't matter whether the
connection was established. All that matters is whether any of our hosts
replied to the external IP even if that means a single syn-ack packet. Do
we have an event that could be used to capture this information?


Sheharbano Khattak

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120523/33995580/attachment.html 

More information about the Bro mailing list