Hi,
I have been trying to find trace a bug in my code. I put print
statements in several events including connection_SYN_packet. I am
seeing this event getting fired off twice for every SYN packet seen on
the wire. When I inspect the pcap with wireshark however, I have only
found a single SYN packet. So I am wondering if there is something
special happening in the event engine when using low level functions
like connect_SYN_packet, that might cause this behavior.
I have not looked, but might you be seeing the SYN-ACK from the respondent trigger the rule as well?
Generally, there shouldn't. It's hard to say what's happening without
seeing the packets. If you can send a small trace exhibiting the
problem and the Bro script/command line you're using, we can probably
figure it out pretty quickly.
And just to confirm what Dave wrote: yes, SYN/ACKs will trigger the
event as well, pkt$is_orig says which side the packet came from.
Robin