vern at icir.org
Fri Jul 29 10:13:50 PDT 2011
> Almost makes me wonder if eventually we'd want to have fake IP connections similarly to the fake udp connections?
I'm not following this. Seems we'd instead want (1) a one-time event
that identifies the presence of a tunnel, (2) regular processing (via
an analyzer chain) of the traffic inside the tunnel, and (3) a way to
tell that a give connection record (or other network event) ultimately
stems from tunneled traffic.
More information about the bro-dev