[Bro-Dev] Decapsulating "payload" tunnels

Seth Hall seth at icir.org
Wed Apr 25 07:10:52 PDT 2012


On Apr 25, 2012, at 9:54 AM, Seth Hall wrote:

> We would need to extend the DoNextPacket method to provide a short circuit for skipping the TCP reassembly and analysis since it would be reassembled payload bytes immediately after the fake IP header.  This would result in two connections showing up in conn.log when there was *really* 

only one.  The main idea I wanted to get across is that we're trying to consider the forensics process with our approach to the logging and we're trying to make the logs understandable but also give enough information to easily hunt for compromised machines.


Seth Hall
International Computer Science Institute
(Bro) because everyone has a network

More information about the bro-dev mailing list