<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
Or don’t count it in the port statistics, but still count it in the protocol stats. So you would see a ton of protocol #1
<div class=""><br class="">
</div>
<div class="">But I think I like your suggestion better because it separates things like 53/tcp and 53/udp. </div>
<div class=""><br class="">
<div>
<blockquote type="cite" class="">
<div class="">On Apr 26, 2016, at 9:04 AM, Vlad Grigorescu <<a href="mailto:vlad@grigorescu.org" class="">vlad@grigorescu.org</a>> wrote:</div>
<br class="Apple-interchange-newline">
<div class="">
<div dir="ltr" class="">I'm not sure I agree without additional context. ICMP exfil is a known technique. Wouldn't you want to know if all of a sudden, you started seeing gigs of ICMP? Or is there some other limitation that would make detecting this problematic?
<div class=""><br class="">
</div>
<div class="">What I would recommend instead is simply adding the protocols to the ports. So, instead of "top ports: 53, 80, 443, 8" you would see: "top ports: 53/udp, 80/tcp, 443/tcp, 8/icmp"</div>
<div class=""><br class="">
</div>
<div class="">Would this be sufficient to solve the ICMP/port number confusion?</div>
</div>
<div class="gmail_extra"><br class="">
<div class="gmail_quote">On Tue, Apr 26, 2016 at 8:07 AM, Adam Slagell (JIRA) <span dir="ltr" class="">
<<a href="mailto:jira@bro-tracker.atlassian.net" target="_blank" class="">jira@bro-tracker.atlassian.net</a>></span> wrote:<br class="">
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br class="">
[ <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__bro-2Dtracker.atlassian.net_browse_BIT-2D1571-3Fpage-3Dcom.atlassian.jira.plugin.system.issuetabpanels-3Acomment-2Dtabpanel-26focusedCommentId-3D25900-23comment-2D25900&d=CwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=gMEsgy9kNQo7aTfyIJsOSuw4Z57hfQyz6uV2H4S9PvE&m=beorgX6UQRKd6PT0TlIH2AguYVgqol2BXwnYJL7xcTg&s=ayfCl68oBOLFmdONWN8cXNOKCfvTHTccw8hr3HkQUmE&e=" rel="noreferrer" target="_blank" class="">
https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25900#comment-25900</a> ]<br class="">
<span class=""><br class="">
Adam Slagell commented on BIT-1571:<br class="">
-----------------------------------<br class="">
<br class="">
</span>Talking with Seth, he agrees that it probably just makes more sense to leave ICMP out of the connection summaries.<br class="">
<span class=""><br class="">
> Connection summaries w/ IPv6 have poor readabiity<br class="">
> -------------------------------------------------<br class="">
><br class="">
> Key: BIT-1571<br class="">
> URL: <a href="https://urldefense.proofpoint.com/v2/url?u=https-3A__bro-2Dtracker.atlassian.net_browse_BIT-2D1571&d=CwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=gMEsgy9kNQo7aTfyIJsOSuw4Z57hfQyz6uV2H4S9PvE&m=beorgX6UQRKd6PT0TlIH2AguYVgqol2BXwnYJL7xcTg&s=G1V9yTqJu9EsCXN23xZ1E-ydwqADT1YJBKqzJkNqhZM&e=" rel="noreferrer" target="_blank" class="">
https://bro-tracker.atlassian.net/browse/BIT-1571</a><br class="">
> Project: Bro Issue Tracker<br class="">
> Issue Type: Improvement<br class="">
> Components: BroControl<br class="">
> Affects Versions: 2.4<br class="">
> Reporter: Adam Slagell<br class="">
> Assignee: Daniel Thayer<br class="">
> Priority: Low<br class="">
> Fix For: 2,5<br class="">
><br class="">
> Attachments: [Bro] Connection summary from 15_53_27-16_00_00.txt<br class="">
><br class="">
><br class="">
> The variable length of IPv6 and being mixed with IPv4 causes alignment issues with the white space in the connection summary emails.<br class="">
<br class="">
<br class="">
<br class="">
--<br class="">
This message was sent by Atlassian JIRA<br class="">
</span>(v1000.5.0#72002)<br class="">
<div class="HOEnZb">
<div class="h5">_______________________________________________<br class="">
bro-dev mailing list<br class="">
<a href="mailto:bro-dev@bro.org" class="">bro-dev@bro.org</a><br class="">
<a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.icsi.berkeley.edu_mailman_listinfo_bro-2Ddev&d=CwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=gMEsgy9kNQo7aTfyIJsOSuw4Z57hfQyz6uV2H4S9PvE&m=beorgX6UQRKd6PT0TlIH2AguYVgqol2BXwnYJL7xcTg&s=4IUiD_rshKiWgExIpRf1sV9VOAU5kKwazUEsgKMM9SY&e=" rel="noreferrer" target="_blank" class="">http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev</a><br class="">
</div>
</div>
</blockquote>
</div>
<br class="">
</div>
_______________________________________________<br class="">
bro-dev mailing list<br class="">
<a href="mailto:bro-dev@bro.org" class="">bro-dev@bro.org</a><br class="">
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev<br class="">
</div>
</blockquote>
</div>
<br class="">
<div class="">
<div style="color: rgb(0, 0, 0); letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">
<div class="">------<br class="">
<br class="">
Adam J. Slagell<br class="">
Chief Information Security Officer<br class="">
Director, Cybersecurity Division<br class="">
National Center for Supercomputing Applications<br class="">
University of Illinois at Urbana-Champaign<br class="">
<a href="http://www.slagell.info" class="">www.slagell.info</a><br class="">
<br class="">
"Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." <br class="">
<br class="">
<br class="">
<br class="">
<br class="">
<br class="">
<br class="">
<br class="">
</div>
</div>
</div>
<br class="">
</div>
</body>
</html>