new bro "CURRENT" release - 0.8a57
mtdedlow at lbl.gov
Tue Dec 16 14:12:16 PST 2003
>>but I wonder if it wouldn't be useful to have some indication of those
>>connections that BRO has determined the service of (via inspection)
>>versus merely inferring the service from a port:name lookup table.
> Hmmmm, perhaps this should be a new flag (to go along with 'L', and
> the soon-to-depart 'U'), but I'm not sure it's worth it - do you have
> an example in which this is particularly handy to have?
I'm sort of thinking about identifying non-standard port usage.
For example, what if I run some proprietary service on port 80?
Is is going to be service 'other' or service 'http'? What if
I run telnetd on port 80?
I'm just thinking of the distinction between positive knowledge
of a service vs. inference of service by port number.
More information about the Bro