[Bro] connection_state_remove
Robin Sommer
robin at icir.org
Tue Nov 29 16:40:57 PST 2005
On Tue, Nov 29, 2005 at 16:38 -0800, Christian Kreibich wrote:
> I see; but afaik UDP connection state is never expired (until
> net_finish), right? My confusion about the semantics partially stem from
> the fact that I see connection_state_remove used on non-TCP connections,
> but I'm unclear about Bro's treatment of such connections.
*If* Bro expires a UDP connection, it raises
connection_state_remove. But you're right, but default Bro doesn't
remove (most of the) UDP state. But you can set a
udp_inactivity_timeout, then it will (in fact, if you're analyzining
UDP traffic you *really* want to have such a timeout; otherwise your
table is probably the smallest problem :-)
Robin
--
Robin Sommer * Phone +1 (510) 666-2886 * robin at icir.org
ICIR/ICSI * Fax +1 (510) 666-2956 * www.icir.org
More information about the Bro
mailing list