[Bro] Why do I get duplicate new_connection event?
Christian Kreibich
christian at whoop.org
Fri Mar 16 15:02:24 PDT 2007
On Thu, 2007-03-15 at 15:01 -0700, Miles Grun wrote:
> Thanks for quick response. I was believing (but I may
> be wrong) this is because only the first 64 bytes of
> the packets exist in this pcap file. Here is test.1
> (uuencoded). I also attach it to this email.
Thanks for this. Robin and I just had a look, and you're indeed not
seeing the intended behavior. The problem is that currently
tcp_close_delay is set to 0 seconds and so Bro considers the connection
complete immediately after having seen both FINs. Either bump up
tcp_close_delay ...
bro -r test.1 tcp_close_delay=1sec a.bro
... or load heavy-analysis.bro (which also bumps up the various
timeouts):
bro -r test.1 a.bro heavy-analysis
In the next release, we'll likely set tcp_close_delay to a small but
non-zero timeout.
Cheers,
Christian
--
________________________________________________________________________
http://www.icir.org/christian
http://www.whoop.org
More information about the Bro
mailing list