So I am seeing some weird stuff in my sample pcap of scanners. May be too obvious and I am just not seeing why/how of it.
Here is the issue : ( I have time in human format for easier read): SO I just pick one session from conn.log and this is the connection in question: (there are many more like this): $ fgrep CspAa42NoEGEaXK4ci conn.log | cf Apr 12 05:37:42 CspAa42NoEGEaXK4ci 18.104.22.168 45107 22.214.171.124 23 tcp - - - - S0 F T 0 S 1 40 0 0 - Now as part of debugging I have dumped network_time for various events which process this connection: Apr 12 05:37:42 new_connection CspAa42NoEGEaXK4ci Apr 12 06:13:48 connection_attempt CspAa42NoEGEaXK4ci Apr 12 06:13:48 connection_state_remove CspAa42NoEGEaXK4ci Now my understanding is there are various timers involved upon whose expirations bro infers events such as connection_attempt, connection_reset etc etc. Timers such as tcp_attempt_delay, tcp_SYN_timeout, tcp_close_delay amongst others. But all these timers are generally 5 seconds. Q. Why would connection_attempt event kick in after 36 minutes and 6 seconds ? ( 06:13:48 - 05:37:42 ) ? I have a pcap to share if anyone is interested and replicate on their end. Aashish _______________________________________________ bro-dev mailing list firstname.lastname@example.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev