[Bro] connection states
Laleh Arshadi
la_arshadi at yahoo.com
Mon Jul 22 08:54:18 PDT 2013
Hi
Thank you both Alex and Seth for the link and the explanation. I got the taste of the connection states, now I am looking for the policies upon which Bro decides that a connection is "good", "bad' or "unkown". Is anything stated in the documents in this regard?
Regards
Laleh
________________________________
On Jul 21, 2013, at 2:11 AM, Laleh Arshadi <la_arshadi at yahoo.com> wrote:
> Seems that Bro classifies connections into a number of states in its "connection summaries" log files. States such SF, REJ, etc. upon which it then classifies the connection into one of the three states "good", "bad' or "unkown". I was wondering if one could give me a direct pointer to a reference in which these states are discussed thoroughly.
I suspect the link from Alex answered your question, but to go a little further than the rote documentation I'd like to point out that what that field really represents is how Bro chose to perceive the connection. Since Bro is a third party passive observer it can't always perfectly understand the conversation for various reasons like packet loss, missing packets due to asynchronous routing, or peculiar host semantics that Bro doesn't understand.
Check out the history field too if you want a little more information about what Bro actually saw on the wire. It's documented on the same page:
http://www.bro.org/sphinx-git/scripts/base/protocols/conn/main.html
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130722/6d95af09/attachment.html
More information about the Bro
mailing list