[Bro] Skipping Connections versus Skipping Deliveries
José María González
chema at cs.berkeley.edu
Wed Oct 6 18:24:00 PDT 2004
I'm trying to understand the differences between Skipping
Connections and Skipping Deliveries. My impression was
that Skipping Connections would stop any further L4
processing of a connection. That's clearly the case in
UDP, where NextPacket() first task is to check whether
it must skip the connection. OTOH, this seems not true
in TCP. I assume it's because Bro is interested in TCP
headers independently of its interest in the L7 protocol.
It's not the same case with UDP headers, as the latter
are pretty much useless. Am I right? [1st Question]
Skipping Deliveries (TCP_Contents.cc), OTH, controls
whether L7 protocols should receive data lines or not.
If you are not going to deliver lines to the L7 protocol,
why would you be listening to the connection itself? My
hunch is the same than before: It may be interesting to
parse TCP contents anyway. The question is, then,
shouldn't setting both endpoints of a connection to
(skip_deliveries = 1) trigger SetSkip(1) ? [Question 2]
Thanks for any help.
More information about the Bro