[Bro-Dev] Deprecating events
Robin Sommer
robin at icir.org
Wed Nov 30 09:16:48 PST 2011
On Wed, Nov 30, 2011 at 09:03 -0800, you wrote:
> Is the intent to remove the stepping stone detection functionality?
Yes, that's what I was thinking.
> That would be a pity, as now-and-then it provides very valuable forensic
> information.
I didn't realize this is still being used. I'm fine keeping the events
then, but could you provide a few sentences describing their semantics
for the script reference? I don't really know.
> I'd be reluctant to lose these, as they could potentially become relevant
> if one is able to feed unencrypted SSH streams to Bro
That's right but isn't the scripting land the better place to
implement this functionality eventually? What I don't like is all the
hard-coded regexp variables that one passes into the core; that's
quite different from any other analyzer.
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the bro-dev
mailing list