To clarify, a SYN-ACK in response to a SYN is enough for Bro to generate connection_established. It doesn't actually look for a full 3-way handshake (i.e., an ACK of the SYN-ACK). Does that help? Alternatively, if you have traces you can share that demonstrate a failure to get the connection_established event, then we can look into just what's going on. Vern