Question: Handling a SYN segment when the TCP session is in the ESTABLISHED state


The question may be obvious from the subject line itself. How does Bro
handle the case when a SYN is received for a session that is in the
established state.
(we are referring to the a SYN that has the same src/dst ip/port)

- IDS analyzes the TWH between client and server
- IDS sees/analyzes the data transfer
- Now IDS sees a SYN from client to server (same tuple)

One case how this may happen is if client machine crashes (Page 33/RFC
793) and restarts and connects using same tuple.
In this case the server responds with an ACK, client tears down the
session and a new one starts.

Other than this case are there any case when the client/server needs
to send SYN/SYN-ACK after a session is established?
For e.g. to renegotiate window scaling ?

Thanks for the reply.