[Bro] connection_established for udp

Siwek, Jonathan Luke jsiwek at illinois.edu
Fri Apr 19 13:33:55 PDT 2013

> I'd like to know whenever a new server appears on a network. Ideally,
> this would be whenever a host calls listen() on a connection-oriented
> socket or bind() on a datagram socket. In practice, it seems to work
> well enough to track the responding hosts and ports of established
> connections or datagram pseudo-connections where the "server" has
> responded. This doesn't work for UDP servers that don't respond using
> the same 4-tuple, but it works for DNS and a few other common UDP server
> types.

If you can wait until the internal state of UDP "connections" in Bro times out due to inactivity (default of "udp_inactivity_timeout" variable is 1 min), would it work to handle the "connection_state_remove" event and check for a non-zero c$resp$size ?

- Jon

