Few questions...

Vern Paxson vern at icir.org
Thu Jul 25 23:05:58 PDT 2002

> > Depends what you mean by "illegal".  It detects acknowledgments above
> > sequence holes, and inconsistent TCP retransmission.  
> > Unfortunately, when
> > looking at a large volume of traffic, these show up due to 
> > various things
> > being broken (as mentioned in the Bro paper), so their presence isn't
> > a useful indicator of an attack.
> Have you observed it  in a practical network? 

Yes, that's the whole point - "looking at a large volume of traffic"
reflects years of operating Bro at LBL (and other environments).  It's
a whole different world than just looking at say a LAN, which is *much*
more homogeneous and well-behaved.


More information about the Bro mailing list