[Bro] Event for syn-ack packet
sheharbano.k at gmail.com
Wed May 23 09:37:48 PDT 2012
I have a list of C&C servers and i want to detect which hosts in our
network talk to them. The first case is simple, check all outbound
connections in which the destination is C&C IP. In the second case when a
C&C server takes the initiative and tries to connect to an internal host.
In some cases, it may not proceed to establishing a full connection. Hear
the syn-ack and leave it at that. Come back later or maybe that's it's idea
of 'i am at your service' messages. I need this event for the second case
as the connection may never be established at all, at least for the time
for which i have pcap trace.
On Wed, May 23, 2012 at 9:29 PM, Seth Hall <seth at icir.org> wrote:
> On May 23, 2012, at 6:05 AM, Sheharbano Khattak wrote:
> > The reply could be as short as a syn-ack. The event
> connection_established is too late as it doesn't matter whether the
> connection was established.
> Are you trying to reduce your latency in detecting something? I guess I
> don't understand why connection_established is too late.
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro