- Instantiating on SYN ACK came about due to coping with Bro
deployments with split routing, such that they never saw
initial SYNs for some connections.
Ah, ok.
In principle,
Bro should stop trying to follow the RFC 793 notion of TCP states,
and instead go with an empirical set.
Thanks for the backstory on this, it makes this much clearer for me. Perhaps I'll file a ticket for someone to look into doing this for 1.7.
The only thing that is still nagging me is that the behavior is different with the connection compressor than it is without it. Does it make sense to do anything to make the connection_compressor and non connection_compressor scenarios end up with the same result?
.Seth