[Bro-Dev] connection_established behavior
Robin Sommer
robin at icir.org
Fri Dec 17 01:07:12 PST 2010
On Tue, Dec 14, 2010 at 09:42 -0800, you wrote:
> - Instantiating on SYN ACK came about due to coping with Bro
> deployments with split routing, such that they never saw
> initial SYNs for some connections.
Isn't this controlled by this option:
# If true, instantiate connection state when a SYN ack is seen
# but not the initial SYN (even if partial_connection_ok is false).
const tcp_SYN_ack_ok = T &redef;
Perhaps we should just change the default?
> and instead go with an empirical set. $history allows this but
> in an implicit fashion, rather than with explicit states. The
> latter would be better, though it's not clear to me that it's
> really worth the work.
Not for the time being I would say, as this would be quite a majro
change. However, at some point, we should definitlu look more
closely at the TCP code.
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the bro-dev
mailing list