[Bro-Dev] connection_established behavior
Gregor Maier
gregor at icir.org
Sun Dec 19 09:32:02 PST 2010
On 12/17/10 1:07 , Robin Sommer wrote:
>> - Instantiating on SYN ACK came about due to coping with Bro
>> deployments with split routing, such that they never saw
>> initial SYNs for some connections.
>
> Isn't this controlled by this option:
>
> # If true, instantiate connection state when a SYN ack is seen
> # but not the initial SYN (even if partial_connection_ok is false).
> const tcp_SYN_ack_ok = T &redef;
>
>
> Perhaps we should just change the default?
Then you would only instantiate on connections with a full handshake.
So, I would keep it as it is!
(It only takes effect if partial_connection_ok=F)
Changing this option wouldn't necessarily change event generation
either, I think. We just have to unify the way the
connection_established event is generated in TCP.cc and Connection
Compressor.
>> and instead go with an empirical set. $history allows this but
>> in an implicit fashion, rather than with explicit states. The
>> latter would be better, though it's not clear to me that it's
>> really worth the work.
>
> Not for the time being I would say, as this would be quite a majro
> change. However, at some point, we should definitlu look more
> closely at the TCP code.
Yeah. That's basically a rewrite of most of the TCP Analyzer. Probably
something to consider at some point though.
cu
gregor
--
Gregor Maier gregor at icir.org
Int. Computer Science Institute (ICSI) gregor at icsi.berkeley.edu
1947 Center St., Ste. 600 http://www.icir.org/gregor/
Berkeley, CA 94704
USA
More information about the bro-dev
mailing list