[Bro-Dev] connection_established behavior
Seth Hall
seth at icir.org
Tue Dec 14 13:09:46 PST 2010
On Dec 14, 2010, at 12:42 PM, Vern Paxson wrote:
> - Instantiating on SYN ACK came about due to coping with Bro
> deployments with split routing, such that they never saw
> initial SYNs for some connections.
Ah, ok.
> In principle,
> Bro should stop trying to follow the RFC 793 notion of TCP states,
> and instead go with an empirical set.
Thanks for the backstory on this, it makes this much clearer for me. Perhaps I'll file a ticket for someone to look into doing this for 1.7.
The only thing that is still nagging me is that the behavior is different with the connection compressor than it is without it. Does it make sense to do anything to make the connection_compressor and non connection_compressor scenarios end up with the same result?
.Seth
More information about the bro-dev
mailing list