vern at icir.org
Thu Jul 25 23:05:58 PDT 2002
> > Depends what you mean by "illegal". It detects acknowledgments above
> > sequence holes, and inconsistent TCP retransmission.
> > Unfortunately, when
> > looking at a large volume of traffic, these show up due to
> > various things
> > being broken (as mentioned in the Bro paper), so their presence isn't
> > a useful indicator of an attack.
> Have you observed it in a practical network?
Yes, that's the whole point - "looking at a large volume of traffic"
reflects years of operating Bro at LBL (and other environments). It's
a whole different world than just looking at say a LAN, which is *much*
more homogeneous and well-behaved.
More information about the Bro