[Bro] Fragmentation and TCP overlapping Issues

Veronica Estrada estrada.veronica at gmail.com
Wed Nov 24 07:25:36 PST 2010

Hello everyone,

First of all, tomorrow is thanksgiving and I would like to thank all of you
for all the feedback I've always received to my posts.

I continue with my research on anomalies, now focus on evasion techniques,
and I need to ask you some help to understand how BRO deals with
fragmentation and TCP overlapping issues.  For reference, I am using Bro
1.5.1 in offline analysis.

1. Although I am loading "frag", I am not receiving any event related with

What could be wrong? libpcap library? my BRO version?

2. What are the possible events triggered by weird analyzer related with tcp
overlapping? (because I am not getting any of them although I think I should
see them on my trace)

3. TCP overlapping problems may generate "partial_ftp_request",
"partial_RPC_request" or other partial events? and also confuse BRO on how
the connection should be flagged? For example a connection with flag "S0",
no reply seen could be related with TCP overlapping problems?

4. How does BRO perform TCP reassembly? I mean, is the traffic on ALL ports
reassembled? Is there any way to apply a default policy for doing TCP
reassembly? Like Policy First or Last or Unix…

5. There is an "active mapping" function to improve TCP reassembly. Can we
define the host profile database without this active function?

6. Can we configure the size of the reassembly buffer? I read in historical
msg (from 2006) there wasn't such config and BRO presented a vulnerability
against an adversary trying to exhaust memory, is this a current

7. By doing offline analysis, I understood that BRO will analyze all the
packets without loss even if the CPU is running at 100%. Still, I need
information about dropping packets for other reasons. For example, if BRO
encounters TCP overlapping, Does it drop all the packets? Choose some of
them? Are these actions log somewhere? The same with fragmentations issues.
Where can I check the portion of fragments that where reassembled? how many
frames discarded, etc?

8. I am not seeing any difference in bro logs when I analyze 2 pcap files.
One file contains some malformed packet at the end and wireshark says "the
packet is bigger than 65535", the other pcap file is the same file but
truncated using editcap to avoid this "malformed packet" (if I check the hex
using hd, the part truncated represents 850MB ). All the logs of BRO when
input is one file or the other are identical. Is this the expected result?

Veronica Estrada

Nakao Lab. Network System Research Group

University of Tokyo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20101125/253800a8/attachment.html 

More information about the Bro mailing list