[Bro] Event for syn-ack packet
Siwek, Jonathan Luke
jsiwek at illinois.edu
Wed May 23 12:12:15 PDT 2012
>> One caveat could still be that connection_established is TCP-specific, the example I gave could be used for UDP "connections", too.
> I don't believe we generate connection_established in a UDP context. There
> it's instead udp_request and udp_reply. I'm not sure what example you're
> referring to.
Right, I meant the example of checking a connection's "history" field for any lower-case letters should indicate the responding side sent some type of packet during the connection lifetime and wouldn't need special handling for UDP separately from TCP.
And if it's important to distinguish half-open TCP connections from ones that complete a 3-way handshake, "history" looks like it could do that, too.
More information about the Bro