[Bro] Event for syn-ack packet
vern at icir.org
Wed May 23 10:55:49 PDT 2012
> If someone tries to open up several half open connections to our host, how
> will we know if we don't distinguish between SYN-ACK and ACK ?
I'm not sure I understand your concern here. Connections are identified
by their five-tuple. If the five-tuple for an active connection is reused,
the two instances will be treated as a single connection; that would be
the case regardless of whether the connection has seen a 2-packet SYN
exchange or a full 3-way handshake.
In terms of TCP semantics, a connection that's only had a 2-packet SYN
exchange is still active, and shouldn't be reused. If the handshake
never completes, it will eventually be torn down with a RST - which will
also cause Bro to consider it no longer active.
More information about the Bro