[Bro-Dev] Deprecating events
scampbell at lbl.gov
Wed Nov 30 09:32:05 PST 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 11/30/11 11:03 AM, Vern Paxson wrote:
>> ## Deprecated. Will be removed. event stp_create_endp%(c:
>> connection, e: int, is_orig: bool%); ...
> Is the intent to remove the stepping stone detection
> functionality? That would be a pity, as now-and-then it provides
> very valuable forensic information.
>> ## Deprecated. Will be removed. event interconn_stats%(c:
>> connection, os: interconn_endp_stats, rs:
>> interconn_endp_stats%); ... ## Deprecated. Will be removed. event
>> ssh_signature_found%(c: connection, is_orig: bool%);
> I agree with removing this stuff, as interconn never worked that
> well, and the signature stuff is all better done these days with
> DPD, or at least with um the signature engine.
>> There are more events that fit (1)-(3), in particular the
>> pattern-matching login_* events. Undecided whether those should
>> go too, but I have documented them for now.
> I'd be reluctant to lose these, as they could potentially become
> relevant if one is able to feed unencrypted SSH streams to Bro
> (depending on how the SSH server is set up).
> Vern _______________________________________________ bro-dev
> mailing list bro-dev at bro-ids.org
Re SSH streams, The iSSHD framework builds off the pattern matching
login-* events but in that case we just take advantage of the policy
infrastructure rather than the event generation.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the bro-dev