[Bro] TEREDO bug
jmellander at lbl.gov
Mon Oct 1 15:57:43 PDT 2012
I've been looking at known-services.bro for other reasons, and found the
("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the
I'm a bit surprised that only DNS requires that both sides of the
conversation talk - I would expect that in the case of UDP protocols
especially one would want to see both sides of the conversation.
On Mon, Oct 1, 2012 at 1:29 PM, Siwek, Jonathan Luke <jsiwek at illinois.edu>wrote:
> > I don't think TEREDO is working correctly. It is filling up the
> known_services.log with entries for local host ports that I know are
> closed just because there was a TEREDO packet sent to that port.
> It's not so much Teredo working incorrectly as it is the combination of
> how it works with the way known-services.bro decides something is a
> service, which could be improved.
> I've created a ticket to track the issue:
> Bro mailing list
> bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro