Beginning vs End-of-Connection Logging

You can log a connection at its beginning or its end, with the following exceptions for blocked traffic:

Blocked traffic—Because blocked traffic is immediately denied without further inspection, usually you can log only beginning-of-connection events for blocked traffic. There is no unique end of connection to log.
Blocked encrypted traffic—When you enable connection logging in a decryption policy, the system logs end-of-connection rather than beginning-of-connection events. This is because the system cannot determine if a connection is encrypted using the first packet in the session, and thus cannot immediately block encrypted sessions.

To optimize performance, log either the beginning or the end of any connection, but not both. Monitoring a connection for any reason forces end-of-connection logging. For a single non-blocked connection, the end-of-connection event contains all of the information in the beginning-of-connection event, as well as information gathered over the duration of the session.

The following table details the differences between beginning and end-of-connection events, including the advantages to logging each.

Comparing Beginning and End-of-Connection Events

Beginning-of-Connection Events

End-of-Connection Events

Can be generated...

When the system detects the beginning of a connection (or, after the first few packets if event generation depends on application or URL identification).

When the system:

Detects the close of a connection.
Does not detect the end of a connection after a period of time.
Can no longer track the session due to memory constraints.

Can be logged for...

All connections except those blocked by the decryption policy.

Most connections.

Contain...

Only information that can be determined in the first packet (or the first few packets, if event generation depends on application or URL identification).

All information in the beginning-of-connection event, plus information determined by examining traffic over the duration of the session; for example, the total amount of data transmitted or the timestamp of the last packet in the connection.

Note	The connection event does not count the amount of data transmitted after the threat defense returns a snort verdict for the connection or if you fastpath the connection.

Are useful...

If you want to log:

Blocked connections.
Only the beginning of a connection because the end-of-connection information does not matter to you.

If you want to:

Log encrypted connections handled by a decryption policy.
Perform any kind of detailed analysis on, or trigger correlation rules using, information collected over the duration of the session.
View connection summaries (aggregated connection data) in custom workflows, view connection data in graphical format, or create and use traffic profiles.