[Bro-Dev] Deprecating events
Scott Campbell
scampbell at lbl.gov
Wed Nov 30 09:32:05 PST 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/30/11 11:03 AM, Vern Paxson wrote:
>> ## Deprecated. Will be removed. event stp_create_endp%(c:
>> connection, e: int, is_orig: bool%); ...
>
> Is the intent to remove the stepping stone detection
> functionality? That would be a pity, as now-and-then it provides
> very valuable forensic information.
>
>> ## Deprecated. Will be removed. event interconn_stats%(c:
>> connection, os: interconn_endp_stats, rs:
>> interconn_endp_stats%); ... ## Deprecated. Will be removed. event
>> ssh_signature_found%(c: connection, is_orig: bool%);
>
> I agree with removing this stuff, as interconn never worked that
> well, and the signature stuff is all better done these days with
> DPD, or at least with um the signature engine.
>
>> There are more events that fit (1)-(3), in particular the
>> pattern-matching login_* events. Undecided whether those should
>> go too, but I have documented them for now.
>
> I'd be reluctant to lose these, as they could potentially become
> relevant if one is able to feed unencrypted SSH streams to Bro
> (depending on how the SSH server is set up).
>
> Vern _______________________________________________ bro-dev
> mailing list bro-dev at bro-ids.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
Re SSH streams, The iSSHD framework builds off the pattern matching
login-* events but in that case we just take advantage of the policy
infrastructure rather than the event generation.
cheers,
scott
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iD8DBQFO1miVK2Plq8B7ZBwRAlofAJ9ovBEYaGZvRtiVirq8kTGb/5jfggCeJhES
Azkgrn6zALsn5Y5de24PdnU=
=gm8W
-----END PGP SIGNATURE-----
More information about the bro-dev
mailing list