[Bro] Skipping Connections versus Skipping Deliveries

José María González chema at cs.berkeley.edu
Wed Oct 6 18:24:00 PDT 2004


I'm trying to understand the differences between Skipping 
Connections and Skipping Deliveries. My impression was 
that Skipping Connections would stop any further L4 
processing of a connection. That's clearly the case in 
UDP, where NextPacket() first task is to check whether 
it must skip the connection. OTOH, this seems not true 
in TCP. I assume it's because Bro is interested in TCP 
headers independently of its interest in the L7 protocol. 
It's not the same case with UDP headers, as the latter 
are pretty much useless. Am I right? [1st Question] 

Skipping Deliveries (TCP_Contents.cc), OTH, controls 
whether L7 protocols should receive data lines or not. 
If you are not going to deliver lines to the L7 protocol, 
why would you be listening to the connection itself? My 
hunch is the same than before: It may be interesting to 
parse TCP contents anyway. The question is, then, 
shouldn't setting both endpoints of a connection to 
(skip_deliveries = 1) trigger SetSkip(1) ? [Question 2]

Thanks for any help. 

More information about the Bro mailing list