On Sep 8, 2014, at 8:36 AM, David Hoelzer <dhoelzer at sans.org> wrote: > I’m curious as to whether or not an invalid checksum as a result of offloading would prevent the tcp_SYN_packet event from firing…? If you mean “connection_SYN_packet”, the default behavior is to not generate that event for packets w/ invalid checksums. - Jon