[Bro-Dev] Deprecating events

Vern Paxson vern at icir.org
Thu Dec 1 02:38:08 PST 2011


> > That would be a pity, as now-and-then it provides very valuable forensic
> > information.
> 
> I didn't realize this is still being used.

It's quite rare, but basically whenever you detect (through some other
means) a credential thief, the stepping-stone info can be very handy for
the incident analysis.

> I'm fine keeping the events
> then, but could you provide a few sentences describing their semantics
> for the script reference? I don't really know. 

I really don't know if this is worth it.  The events are fodder for the
specific algorithm; I can't picture a user actually wanting to write their
own handlers for them.  That they're quite specific also makes them
awkward to explain.  So my vote is to just label them as "internal to
the stepping-stone detector".

> > I'd be reluctant to lose these, as they could potentially become relevant
> > if one is able to feed unencrypted SSH streams to Bro
> 
> That's right but isn't the scripting land the better place to
> implement this functionality eventually?

Yeah, it would ... though it's a pretty messy state-machine-plus-string-
matching chunk of code.

> What I don't like is all the
> hard-coded regexp variables that one passes into the core; that's
> quite different from any other analyzer.

A valid point.

		Vern


More information about the bro-dev mailing list