[Bro-Dev] Weird behavior in Katrina's code.
Vern Paxson
vern at icir.org
Wed Dec 1 19:23:25 PST 2010
> 1266506673.653157 ip1 port1 ip2 port2 60 0 888448966 0 S
> 1266506673.653530 ip2 port2 ip1 port1 40 0 1921250427 888448967 RA
> 1266506676.651348 ip1 port1 ip2 port2 60 0 888448966 0 S
> 1266506676.651708 ip2 port2 ip1 port1 40 0 570721244 888448967 RA
> 1266506682.651195 ip1 port1 ip2 port2 60 0 888448966 0 S
> 1266506682.651622 ip2 port2 ip1 port1 40 0 1779909088 888448967 RA
> 1266506694.651297 ip1 port1 ip2 port2 60 0 888448966 0 S
> 1266506694.651669 ip2 port2 ip1 port1 40 0 2051408459 888448967 RA
> 1266506718.651252 ip1 port1 ip2 port2 60 0 888448966 0 S
> 1266506718.651676 ip2 port2 ip1 port1 60 0 3793171500 888448967 SA
This is a pattern that Bro will interpret differently depending on the
setting of various timeouts defined in bro.init. I'm not sure exactly
which ones would apply here, but it could for example be
# Upon seeing a RST, flush state after this much time.
const tcp_reset_delay = 5 secs &redef;
or
# Upon seeing a normal connection close, flush state after this much time.
const tcp_close_delay = 5 secs &redef;
If those were different for the runs, that would explain why you're getting
different results from the two Bro runs.
Could that be what's going on?
Vern
More information about the bro-dev
mailing list