[Bro] Event for syn-ack packet
Sheharbano Khattak
sheharbano.k at gmail.com
Wed May 23 09:58:44 PDT 2012
Thanks. I thought the event connection_established was generated after the
initial 3-way handshake is completed as mentioned here:
http://bro-ids.org/documentation/scripts/base/event.bif.html#id-connection_established
On Wed, May 23, 2012 at 9:42 PM, Vern Paxson <vern at icir.org> wrote:
> To clarify, a SYN-ACK in response to a SYN is enough for Bro to generate
> connection_established. It doesn't actually look for a full 3-way
> handshake
> (i.e., an ACK of the SYN-ACK). Does that help? Alternatively, if you have
> traces you can share that demonstrate a failure to get the
> connection_established event, then we can look into just what's going on.
>
> Vern
>
--
Sheharbano Khattak
http://etheryell.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120523/bad0e5d5/attachment.html
More information about the Bro
mailing list