[Bro] UDP flow anomaly
geek00l at gmail.com
Thu Sep 20 04:32:11 PDT 2007
Thanks, actually it just need to check if the packet that replying is with
18 bytes length so I guess its good to go.
Back to word, I would like to know if anyone working on skype policy script,
in case there's merge of same interest.
On 9/19/07, Robin Sommer <robin at icir.org> wrote:
> On Tue, Sep 18, 2007 at 15:39 +0800, CS Lee wrote:
> > The script can locate the 184.108.40.206 but not 220.127.116.11 and
> > 18.104.22.168. That lead us to believe that bro understand the flow in
> > semantic level. In fact if we do the matching to 18+19 = 37 bytes,
> That's right, the size in the endpoint record is cumulative and
> reflects the total size of the flow so far.
> I see two options for you:
> - you could remember the flows' size with every udp_reply and then
> calculate the increase when the next udp_reply comes in.
> - you could use the new_packet() event which gives you the size for
> each packet.
> None of the two approaches is very nice and both can also turn out to
> be pretty expensive. The main problem here is that Bro isn't really
> well-suited for expressing policies at the level of indivdual packets
> as it tries to abstract from packets o high-level activity as much as
> Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
> LBNL/ICSI * Fax +1 (510) 666-2956 * www.icir.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro