Tools like these aren't really intended for adversarial environments, and pure network tools that are designed for real adversaries have a really spotty track record (good search: [bro vantage point problem]).

▲

entrop 10 hours ago | parent [-]

That search did not come up with much. Can you elaborate?

	▲	alwa 8 hours ago \| parent [-]
		Not tptacek, but my search yielded this which seems relevant (to the network monitoring tool once named Bro, now Zeek): https://www.icir.org/mallman/pubs/APT07/APT07.pdf > The “SH” state indicates that the remote peer sent a SYN followed by a FIN—however, the monitor never recorded a SYN-ACK from the local peer. At first glance, this would seem to indicate a scanner that is trying to make connection attempts look as real as possible in the hopes of not triggering an alarm. However, such connections can also indicate a vantage point problem whereby the monitor is not observing outgoing traffic from some hosts. While in general the monitor placement at LBNL can observe both incoming and outgoing traffic, there were periods of time where the traffic for some LBNL hosts would partially bypass the monitor. From a measurement perspective this is clearly undesirable.