From 8e9dc3c78925bbcce2e039aaae357eaae66d9213 Mon Sep 17 00:00:00 2001 From: Jon Siwek Date: Wed, 13 Feb 2019 16:14:50 -0800 Subject: [PATCH] Improve format of conn_state docs --- CHANGES | 4 +++ VERSION | 2 +- doc | 2 +- scripts/base/protocols/conn/main.bro | 54 +++++++++++++++++++--------- 4 files changed, 43 insertions(+), 19 deletions(-) diff --git a/CHANGES b/CHANGES index 9e7d1ac38d..66f5a0c293 100644 --- a/CHANGES +++ b/CHANGES @@ -1,4 +1,8 @@ +2.6-117 | 2019-02-13 16:14:50 -0800 + + * Improve format of conn_state docs (Jon Siwek, Corelight) + 2.6-116 | 2019-02-07 10:32:01 -0600 * GH-208: change invalid subnet expressions to a runtime error (Jon Siwek, Corelight) diff --git a/VERSION b/VERSION index 00715596d3..5f12dc8c47 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -2.6-116 +2.6-117 diff --git a/doc b/doc index 0083f90048..eda3c6f2e8 160000 --- a/doc +++ b/doc @@ -1 +1 @@ -Subproject commit 0083f9004852a1843569b699900d0728ec0137b6 +Subproject commit eda3c6f2e8cb82a29f4407e12d51a5acde3e276e diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro index e96b27873c..e2209b6e22 100644 --- a/scripts/base/protocols/conn/main.bro +++ b/scripts/base/protocols/conn/main.bro @@ -37,23 +37,43 @@ export { ## *orig_bytes*. resp_bytes: count &log &optional; - ## ========== =============================================== - ## conn_state Meaning - ## ========== =============================================== - ## S0 Connection attempt seen, no reply. - ## S1 Connection established, not terminated. - ## SF Normal establishment and termination. Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be. - ## REJ Connection attempt rejected. - ## S2 Connection established and close attempt by originator seen (but no reply from responder). - ## S3 Connection established and close attempt by responder seen (but no reply from originator). - ## RSTO Connection established, originator aborted (sent a RST). - ## RSTR Responder sent a RST. - ## RSTOS0 Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder. - ## RSTRH Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator. - ## SH Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was "half" open). - ## SHR Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator. - ## OTH No SYN seen, just midstream traffic (a "partial connection" that was not later closed). - ## ========== =============================================== + ## Possible *conn_state* values: + ## + ## * S0: Connection attempt seen, no reply. + ## + ## * S1: Connection established, not terminated. + ## + ## * SF: Normal establishment and termination. + ## Note that this is the same symbol as for state S1. + ## You can tell the two apart because for S1 there will not be any + ## byte counts in the summary, while for SF there will be. + ## + ## * REJ: Connection attempt rejected. + ## + ## * S2: Connection established and close attempt by originator seen + ## (but no reply from responder). + ## + ## * S3: Connection established and close attempt by responder seen + ## (but no reply from originator). + ## + ## * RSTO: Connection established, originator aborted (sent a RST). + ## + ## * RSTR: Responder sent a RST. + ## + ## * RSTOS0: Originator sent a SYN followed by a RST, we never saw a + ## SYN-ACK from the responder. + ## + ## * RSTRH: Responder sent a SYN ACK followed by a RST, we never saw a + ## SYN from the (purported) originator. + ## + ## * SH: Originator sent a SYN followed by a FIN, we never saw a + ## SYN ACK from the responder (hence the connection was "half" open). + ## + ## * SHR: Responder sent a SYN ACK followed by a FIN, we never saw a + ## SYN from the originator. + ## + ## * OTH: No SYN seen, just midstream traffic (a "partial connection" + ## that was not later closed). conn_state: string &log &optional; ## If the connection is originated locally, this value will be T.