[Bro-Dev] Deprecating events

Robin Sommer robin at icir.org
Wed Nov 30 09:16:48 PST 2011


On Wed, Nov 30, 2011 at 09:03 -0800, you wrote:

> Is the intent to remove the stepping stone detection functionality?

Yes, that's what I was thinking.

> That would be a pity, as now-and-then it provides very valuable forensic
> information.

I didn't realize this is still being used. I'm fine keeping the events
then, but could you provide a few sentences describing their semantics
for the script reference? I don't really know. 

> I'd be reluctant to lose these, as they could potentially become relevant
> if one is able to feed unencrypted SSH streams to Bro

That's right but isn't the scripting land the better place to
implement this functionality eventually? What I don't like is all the
hard-coded regexp variables that one passes into the core; that's
quite different from any other analyzer.

Robin

-- 
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org


More information about the bro-dev mailing list