[Bro-Dev] connection_established behavior
Vern Paxson
vern at icir.org
Tue Dec 14 09:42:43 PST 2010
I haven't yet read this thread closely, so this may be off the mark,
but a couple of quick comments (before I disappear for a while):
- Instantiating on SYN ACK came about due to coping with Bro
deployments with split routing, such that they never saw
initial SYNs for some connections.
- One way to deal with backscatter would be to inspect $history
to see that no initial SYN was ever seen.
- A more principled way to deal with it would be to fix Bro's
basic notion of connection states. When I designed it, I didn't
realize that all sorts of non-compliant states could arise (e.g.,
connections for which only one side is seen). In principle,
Bro should stop trying to follow the RFC 793 notion of TCP states,
and instead go with an empirical set. $history allows this but
in an implicit fashion, rather than with explicit states. The
latter would be better, though it's not clear to me that it's
really worth the work.
- Vern
More information about the bro-dev
mailing list