[Bro] Event for syn-ack packet
sheharbano.k at gmail.com
Wed May 23 10:07:07 PDT 2012
If someone tries to open up several half open connections to our host, how
will we know if we don't distinguish between SYN-ACK and ACK ? This implies
that a connection for which an ACK was never heard would still be treated
as an established connection.
On Wed, May 23, 2012 at 10:02 PM, Vern Paxson <vern at icir.org> wrote:
> > Thanks. I thought the event connection_established was generated after
> > initial 3-way handshake is completed as mentioned here:
> Yeah, that's in fact a documentation glitch :-(. That describes what
> probably *should* be done, but in fact the event is generated on seeing
> the SYN-ACK (I just double-checked the code). I wrote it that way eons
> ago when Bro often operated on TCP streams that had been filtered to
> SYN/FIN/RST packets only, which meant it wouldn't see the pure ACK
> the handshake.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro