Hello,
The question may be obvious from the subject line itself. How does Bro
handle the case when a SYN is received for a session that is in the
established state.
(we are referring to the a SYN that has the same src/dst ip/port)
- IDS analyzes the TWH between client and server
- IDS sees/analyzes the data transfer
..
- Now IDS sees a SYN from client to server (same tuple)
One case how this may happen is if client machine crashes (Page 33/RFC
793) and restarts and connects using same tuple.
In this case the server responds with an ACK, client tears down the
session and a new one starts.
Other than this case are there any case when the client/server needs
to send SYN/SYN-ACK after a session is established?
For e.g. to renegotiate window scaling ?
Thanks for the reply.