[Bro-Dev] Deprecating events

Vern Paxson vern at icir.org
Wed Nov 30 09:03:27 PST 2011

> ## Deprecated. Will be removed.
> event stp_create_endp%(c: connection, e: int, is_orig: bool%);
> ...

Is the intent to remove the stepping stone detection functionality?
That would be a pity, as now-and-then it provides very valuable forensic

> ## Deprecated. Will be removed.
> event interconn_stats%(c: connection, os: interconn_endp_stats, rs: interconn_endp_stats%);
> ...
> ## Deprecated. Will be removed.
> event ssh_signature_found%(c: connection, is_orig: bool%);

I agree with removing this stuff, as interconn never worked that well, and
the signature stuff is all better done these days with DPD, or at least
with um the signature engine.

> There are more events that fit (1)-(3), in particular the
> pattern-matching login_* events. Undecided whether those should go
> too, but I have documented them for now.

I'd be reluctant to lose these, as they could potentially become relevant
if one is able to feed unencrypted SSH streams to Bro (depending on how
the SSH server is set up).


More information about the bro-dev mailing list