[Bro] Weird behavior
robin at icir.org
Mon Jul 25 08:26:54 PDT 2016
On Sat, Jul 23, 2016 at 13:36 -0700, Ben Mixon-Baca wrote:
> special happening in the event engine when using low level functions
> like connect_SYN_packet, that might cause this behavior.
Generally, there shouldn't. It's hard to say what's happening without
seeing the packets. If you can send a small trace exhibiting the
problem and the Bro script/command line you're using, we can probably
figure it out pretty quickly.
And just to confirm what Dave wrote: yes, SYN/ACKs will trigger the
event as well, pkt$is_orig says which side the packet came from.
Robin Sommer * ICSI/LBNL * robin at icir.org * www.icir.org/robin
More information about the Bro