[Bro] Event for syn-ack packet
Siwek, Jonathan Luke
jsiwek at illinois.edu
Wed May 23 10:06:51 PDT 2012
On May 23, 2012, at 11:42 AM, Vern Paxson wrote:
> To clarify, a SYN-ACK in response to a SYN is enough for Bro to generate
> connection_established. It doesn't actually look for a full 3-way handshake
> (i.e., an ACK of the SYN-ACK). Does that help?
Ok, my confusion was that the comment for that event in event.bif was "The event is raised when the initial 3-way TCP handshake has successfully finished for a connection.", but actually testing it out it seems to be generated for just syn/syn-ack exchanges with nothing further. I'll update that comment unless there's some other subtlety about why it's worded that way.
One caveat could still be that connection_established is TCP-specific, the example I gave could be used for UDP "connections", too.
More information about the Bro