[Bro] connection states
Seth Hall
seth at icir.org
Mon Jul 22 06:53:40 PDT 2013
On Jul 21, 2013, at 2:11 AM, Laleh Arshadi <la_arshadi at yahoo.com> wrote:
> Seems that Bro classifies connections into a number of states in its "connection summaries" log files. States such SF, REJ, etc. upon which it then classifies the connection into one of the three states "good", "bad' or "unkown". I was wondering if one could give me a direct pointer to a reference in which these states are discussed thoroughly.
I suspect the link from Alex answered your question, but to go a little further than the rote documentation I'd like to point out that what that field really represents is how Bro chose to perceive the connection. Since Bro is a third party passive observer it can't always perfectly understand the conversation for various reasons like packet loss, missing packets due to asynchronous routing, or peculiar host semantics that Bro doesn't understand.
�
Check out the history field too if you want a little more information about what Bro actually saw on the wire. It's documented on the same page:
http://www.bro.org/sphinx-git/scripts/base/protocols/conn/main.html
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
More information about the Bro
mailing list