From 9cd4071cb3212a61e73f1b8f92c6c5b4d6969fcc Mon Sep 17 00:00:00 2001
From: Vlad Grigorescu <grigorescu@gmail.com>
Date: Mon, 24 Aug 2015 12:10:35 -0500
Subject: [PATCH] Add Q and update I documentation for conn history

- Q (MULTI_FLAG_PKT) was not in the documentation for the history field.

- I (FIN_RST_PKT) was documented incorrectly. It was documented as a
SYN+RST, when it actually represents a FIN+RST.

The new documentation was derived from:
https://github.com/bro/bro/blob/d3f513f/src/analyzer/protocol/tcp/TCP.cc#L493

Addresses BIT-1466
---
 scripts/base/protocols/conn/main.bro | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/base/protocols/conn/main.bro b/scripts/base/protocols/conn/main.bro
index 7ef204268b..de9a78f975 100644
--- a/scripts/base/protocols/conn/main.bro
+++ b/scripts/base/protocols/conn/main.bro
@@ -87,7 +87,8 @@ export {
 		## f       packet with FIN bit set
 		## r       packet with RST bit set
 		## c       packet with a bad checksum
-		## i       inconsistent packet (e.g. SYN+RST bits both set)
+		## i       inconsistent packet (FIN+RST bits both set)
+		## q       multi-flag packet (SYN+FIN or SYN+RST bits both set) 
 		## ======  ====================================================
 		##
 		## If the event comes from the originator, the letter is in