[Bro] Event for syn-ack packet
sheharbano.k at gmail.com
Wed May 23 09:58:44 PDT 2012
Thanks. I thought the event connection_established was generated after the
initial 3-way handshake is completed as mentioned here:
On Wed, May 23, 2012 at 9:42 PM, Vern Paxson <vern at icir.org> wrote:
> To clarify, a SYN-ACK in response to a SYN is enough for Bro to generate
> connection_established. It doesn't actually look for a full 3-way
> (i.e., an ACK of the SYN-ACK). Does that help? Alternatively, if you have
> traces you can share that demonstrate a failure to get the
> connection_established event, then we can look into just what's going on.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro