[Bro] Event for syn-ack packet

Siwek, Jonathan Luke jsiwek at illinois.edu
Wed May 23 10:06:51 PDT 2012


On May 23, 2012, at 11:42 AM, Vern Paxson wrote:

> To clarify, a SYN-ACK in response to a SYN is enough for Bro to generate
> connection_established.  It doesn't actually look for a full 3-way handshake
> (i.e., an ACK of the SYN-ACK).  Does that help?

Ok, my confusion was that the comment for that event in event.bif was "The event is raised when the initial 3-way TCP handshake has successfully finished for a connection.", but actually testing it out it seems to be generated for just syn/syn-ack exchanges with nothing further.  I'll update that comment unless there's some other subtlety about why it's worded that way.

One caveat could still be that connection_established is TCP-specific, the example I gave could be used for UDP "connections", too.



More information about the Bro mailing list