[Bro-Dev] connection_established behavior
Robin Sommer
robin at icir.org
Mon Dec 20 10:12:21 PST 2010
On Sun, Dec 19, 2010 at 09:32 -0800, you wrote:
> > Perhaps we should just change the default?
>
> Then you would only instantiate on connections with a full handshake.
Right, that was the intent of the original question, wasn't it?
> Changing this option wouldn't necessarily change event generation
> either, I think.
I think it would. If there's no connection state, there's no
connection_established.
> We just have to unify the way the connection_established event is
> generated in TCP.cc and Connection Compressor.
Note that the CC doesn't generate connection_established itself. It
acts as a filter: once it lets packets through, TCP.cc will generate
the event.
Also, I'm thinking there might actually be a bug in the CC here (or
at least semantics not originally intended): it has an option
cc_handle_only_syns that, if on, tells it to take care only of
initial SYN packets and forward everything else (e.g., a stray data
packet) to normal processing. The motivation for this was to have
less difference to normal TCP processing when the cc is on, and it's
per default enabled (bro.init calls this mode "connection compressor
light").
However, it turns out that a SYN/ACK counts here and *is* processed
by the CC, rather than being passed on. If we would change that so
only pure SYNs were handled, we shouldn't see a difference between
cc on vs. off anymore in this case.
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the bro-dev
mailing list