Comparison data between bro-1.4prerelease and bro-1.2.1.

I ran the two bro versions with 6 tcpdump files and registered the differences
on the following table:


spontaneous_RST 15-1,4-3,4-1,11-19,32-1,56-1
spontaneous_FIN 10-1,8-0,9-0,85-55,25-2,71-1
window_recision 26-26,29-29,0-0,48-48,0-0,52-52
SYN_seq_jump 1-1,0-0,0-0,1-1,0-0,0-0
SYN_inside_connection 1-1,0-0,0-0,0-0,0-0,0-0
active_connection_reuse 1-0,0-0,0-0,0-0,0-0,0-0
unsolicited_SYN_response 1-0,7-7,0-0,1-1,0-0,0-0
SYN_after_close 0-1,0-0,0-0,0-0,0-0,0-0
above_hole_data_without_any_acks 0-0,1-1,0-0,0-0,0-0,0-0
data_before_established 0-0,0-0,0-0,1-1,0-0,0-0

So,the difference is essentially around spontaneous_RST and spontaneous_FIN
weird events.The dump files are for webbrowsing only traffic.I don’t know if
this has any practical interest but that’s what I get using bro-1.4prerelease,for
this very small sample and very limited network protocols.

The command line I use:
export BROPATH=/usr/local/bro-1.2.1/policy:/usr/local/bro-1.2.1/site
/usr/local/bro-1.2.1/bin/bro -r tcpdumpfile

The same for bro-1.4prerelease,but here the bro environment is set up for the
directories where the policy and sig files are:

So,the difference is essentially around spontaneous_RST and spontaneous_FIN
weird events.

These then are harmless differences. Those will vary in unimportant ways
depending on the setting of timers and details of connection tear-down.