[Bro] Weird behavior
dhoelzer at sans.org
Sun Jul 24 04:34:21 PDT 2016
I have not looked, but might you be seeing the SYN-ACK from the respondent trigger the rule as well?
Fellow, SANS Institute
Dean of Faculty, SANS Technology Institute
On July 23, 2016 at 4:39:13 PM, Ben Mixon-Baca (bmixonb1 at cs.unm.edu<mailto:bmixonb1 at cs.unm.edu>) wrote:
I have been trying to find trace a bug in my code. I put print
statements in several events including connection_SYN_packet. I am
seeing this event getting fired off twice for every SYN packet seen on
the wire. When I inspect the pcap with wireshark however, I have only
found a single SYN packet. So I am wondering if there is something
special happening in the event engine when using low level functions
like connect_SYN_packet, that might cause this behavior.
Bro mailing list
bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro