[Bro-Dev] #724: Changing semantics of ConnSizeAnalyzer

Bro Tracker bro at tracker.bro-ids.org
Sun Dec 18 15:57:40 PST 2011


#724: Changing semantics of ConnSizeAnalyzer
----------------------+--------------------
  Reporter:  seth     |      Owner:
      Type:  Problem  |     Status:  new
  Priority:  High     |  Milestone:  Bro2.0
 Component:  Bro      |    Version:
Resolution:           |   Keywords:
----------------------+--------------------

Comment (by robin):

 I'm reluctant to count only payload bytes as I find that not very
 intuitive and also non-standard (NetFlow for example counts IP bytes
 as well). It feels like we'd be tuning a general mechanism to a
 specific case (SSH login detection). The sequence number calcuation
 seems the right thing to use here, and I'd prefer to fix that instead.

 That said, for now I can see doing both as Gregor suggested, however I
 would log the IP bytes only and use payload bytes in scripts where
 helpful.

 Robin

-- 
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/724#comment:1>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker



More information about the bro-dev mailing list