[Bro] Weird behavior

Hoelzer, Dave dhoelzer at sans.org
Sun Jul 24 04:34:21 PDT 2016

I have not looked, but might you be seeing the SYN-ACK from  the respondent trigger the rule as well?

David Hoelzer
Fellow, SANS Institute
Dean of Faculty, SANS Technology Institute

On July 23, 2016 at 4:39:13 PM, Ben Mixon-Baca (bmixonb1 at cs.unm.edu<mailto:bmixonb1 at cs.unm.edu>) wrote:


I have been trying to find trace a bug in my code. I put print
statements in several events including connection_SYN_packet. I am
seeing this event getting fired off twice for every SYN packet seen on
the wire. When I inspect the pcap with wireshark however, I have only
found a single SYN packet. So I am wondering if there is something
special happening in the event engine when using low level functions
like connect_SYN_packet, that might cause this behavior.


Bro mailing list
bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160724/e44e2216/attachment.html 

More information about the Bro mailing list