This ties into something I had noticed recently. Certain scanning tools like to use the same source port per destination IP (I imagine to cache portions of the TCP header). During these scans, multiple TCP connections occur. Bro saw traffic that had:
- A connection that was setup and torn down as expected (conn_state == "SF")
- A few minutes pass
- A second connection that was setup and torn down as expected, *except* that the first SYN was missed - either by Bro or upstream loss.
Bro considered these the same connection.
Does it makes sense that following a connection teardown, if a SYN-ACK is seen, a new connection begins, instead of using the existing connection? I can probably grab a PCAP if necessary.