[Bro-Dev] [JIRA] (BIT-1236) topic/jsiwek/flip-on-syn-ack

[Siwek, Jon]

On Aug 25, 2014, at 4:40 PM, Vlad Grigorescu <vlad at grigorescu.org> wrote:

> Does it makes sense that following a connection teardown, if a SYN-ACK is seen, a new connection begins, instead of using the existing connection? I can probably grab a PCAP if necessary.

Actually, I’m thinking it may already work like you expect in many “normal” situations.  One special case I can remember (there may be others) is that Bro may defer closing out a connection even if it sees the teardown control packets when it thinks it may be possible to fill in a content gap (i.e. it thinks there’s packets coming in out of order, but maybe in your case it’s just never seen at all).  If that doesn’t fit with what you saw and you’ve got a pcap you can send me, I can try to make sense of it.

- Jon