[Bro] Event for syn-ack packet
Sheharbano Khattak
sheharbano.k at gmail.com
Wed May 23 10:07:07 PDT 2012
If someone tries to open up several half open connections to our host, how
will we know if we don't distinguish between SYN-ACK and ACK ? This implies
that a connection for which an ACK was never heard would still be treated
as an established connection.
On Wed, May 23, 2012 at 10:02 PM, Vern Paxson <vern at icir.org> wrote:
> > Thanks. I thought the event connection_established was generated after
> the
> > initial 3-way handshake is completed as mentioned here:
>
> Yeah, that's in fact a documentation glitch :-(. That describes what
> probably *should* be done, but in fact the event is generated on seeing
> the SYN-ACK (I just double-checked the code). I wrote it that way eons
> ago when Bro often operated on TCP streams that had been filtered to
> SYN/FIN/RST packets only, which meant it wouldn't see the pure ACK
> completing
> the handshake.
>
> Vern
>
--
Sheharbano Khattak
http://etheryell.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120523/d4c91e4b/attachment.html
More information about the Bro
mailing list