[Bro] udp_reply event instead of supposed udp_request event

Ruoming Pang rpang at CS.Princeton.EDU
Fri Feb 11 11:46:16 PST 2005

>> my question is: why does bro recognizes udp_reply events and not 
>> udp_request
>> events? the packets were only sent from one host to another and there
>> were no packets in the opposite direction.
> It's hardcoded. Sessions.cc, around 1247.

Yes, Bro currently tries to guess which port is the service port, 
because it may not see the complete connection, for example, it may 
miss the initial DNS request. What Bro really should do is to look at 
the packet contents in addition to port numbers in its guessing. We 
have been puzzled, too, by non-DNS packets with source port 53 (the 
source port was probably selected to fool firewalls). I don't know if 
anyone is working on this kind of content-based port selection, but for 
now, the problem can be circumvented by tweaking 


More information about the Bro mailing list