[Bro] Weird behavior
Hoelzer, Dave
dhoelzer at sans.org
Sun Jul 24 04:34:21 PDT 2016
I have not looked, but might you be seeing the SYN-ACK from the respondent trigger the rule as well?
———————————————————
David Hoelzer
Fellow, SANS Institute
Dean of Faculty, SANS Technology Institute
On July 23, 2016 at 4:39:13 PM, Ben Mixon-Baca (bmixonb1 at cs.unm.edu<mailto:bmixonb1 at cs.unm.edu>) wrote:
Hi,
I have been trying to find trace a bug in my code. I put print
statements in several events including connection_SYN_packet. I am
seeing this event getting fired off twice for every SYN packet seen on
the wire. When I inspect the pcap with wireshark however, I have only
found a single SYN packet. So I am wondering if there is something
special happening in the event engine when using low level functions
like connect_SYN_packet, that might cause this behavior.
--
Ben
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160724/e44e2216/attachment.html
More information about the Bro
mailing list