[Bro] Connection Events related to scan.bro
Shoey Fighter
shoeyfighter at gmail.com
Tue Apr 22 23:41:12 PDT 2008
Hello.
I am trying to understand the scanning algorithm, and am having some
slight problems understanding when certain events are generated. Below
I have included a list of the events I am interested in and my best
understanding:
connection_established
A TCP handshake has been completed successfully.
partial_connection
?
connection_attempt
A TCP SYN packet has been sent.
connection_rejected
A TCP RST was seen in response to a TCP SYN.
connection_pending
I am not too sure about this one. Can this only happen if the
analyzer is shut down in the middle of a connection?
connection_half_finished
Is this when one side of a connection attempts to close a
non-existant connection?
Also, slightly unrelated, I noticed in the udp-common.bro, the code
relating to "use_TRW_algorithm" is commented out... Is there a special
reason for this?
Thanks,
Cameron Hertel
More information about the Bro
mailing list