[Bro-Dev] Tunnels
Seth Hall
seth at icir.org
Fri Jul 29 04:30:54 PDT 2011
On Jul 28, 2011, at 9:23 PM, Gregor Maier wrote:
> * removing the parent headers completely but generate an event to
> associate the child connection with the parent connection (1)
That would probably work well once we figured out how to properly deal with (1). :)
> (1) not that it's not necessarily a connection. 6to4 and 6in4 are directly on top of IP (using proto 41). So Bro wouldn't even see these packets because it only handles TCP/UDP/ICMP (you would get a weird though)
Almost makes me wonder if eventually we'd want to have fake IP connections similarly to the fake udp connections?
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the bro-dev
mailing list