<div dir="ltr"><div>True, I'm just basing it off of Bro's mechanism to turn some UDP traffic into "connections" that fit into its model.<br><br></div>I guess what I'm looking for is a connection_state_add to go with the existing connection_state_remove. It wouldn't be UDP-specific, but it might fit the current event model a bit better.<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Mar 5, 2018 at 4:55 AM, Jan Grashöfer <span dir="ltr"><<a href="mailto:jan.grashoefer@gmail.com" target="_blank">jan.grashoefer@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 02/03/18 03:52, Vlad Grigorescu wrote:<br>
> I would like to propose a new event in Bro, one that would fire when a UDP<br>
> connection is established (i.e. a response is observed within some time<br>
> frame after a request is seen). Basically, the UDP equivalent of<br>
> connection_established.<br>
><br>
</span>> [...]<br>
<span class="">><br>
> Does anyone have thoughts about this?<br>
<br>
</span>I definitely see the need to correlate request-response-pairs for UDP<br>
protocols but as UDP is *connectionless*, the term UDP connection sounds<br>
very strange to me. Maybe a general notion of request-response protocols<br>
could be established. Corresponding protocols could trigger general<br>
events. For some protocols there might be even a session concept.<br>
<br>
Jan<br>
______________________________<wbr>_________________<br>
bro-dev mailing list<br>
<a href="mailto:bro-dev@bro.org">bro-dev@bro.org</a><br>
<a href="http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev" rel="noreferrer" target="_blank">http://mailman.icsi.berkeley.<wbr>edu/mailman/listinfo/bro-dev</a><br>
</blockquote></div><br></div>