Adding conn.bro documentation for 'conn_state' and 'history' fields.

policy/conn.bro

@@ -16,8 +16,49 @@ export {
 		duration:     interval        &log &optional;
 		orig_bytes:   count           &log &optional;
 		resp_bytes:   count           &log &optional;
+
+		## ==========   ===============================================
+		## conn_state   Meaning
+		## ==========   ===============================================
+		## S0           Connection attempt seen, no reply.
+		## S1           Connection established, not terminated.
+		## SF           Normal establishment and termination. Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be.
+		## REJ          Connection attempt rejected.
+		## S2           Connection established and close attempt by originator seen (but no reply from responder).
+		## S3           Connection established and close attempt by responder seen (but no reply from originator).
+		## RSTO         Connection established, originator aborted (sent a RST).
+		## RSTR         Established, responder aborted.
+		## RSTOS0       Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder.
+		## RSTRH        Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator.
+		## SH           Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was "half" open).
+		## SHR          Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator.
+		## OTH          No SYN seen, just midstream traffic (a "partial connection" that was not later closed).
+		## ==========   ===============================================
 		conn_state:   string          &log &optional;
+
 		local_orig:   bool            &log &optional;
+
+		## Records the state history of (TCP) connections as
+		## a string of letters.
+		##
+		## ======  ====================================================
+		## Letter  Meaning
+		## ======  ====================================================
+		## s       a SYN w/o the ACK bit set
+		## h       a SYN+ACK ("handshake")
+		## a       a pure ACK
+		## d       packet with payload ("data")
+		## f       packet with FIN bit set
+		## r       packet with RST bit set
+		## c       packet with a bad checksum
+		## i       inconsistent packet (e.g. SYN+RST bits both set)
+		## ======  ====================================================
+		##
+		## If the letter is in upper case it means the event comes from the
+		## originator and lower case then means the responder.
+		## Also, there is compression. We only record one "d" in each direction,
+		## for instance. I.e., we just record that data went in that direction.
+		## This history is not meant to encode how much data that happened to be.
 		history:      string          &log &optional;
 	};