[Bro-Dev] Decapsulating "payload" tunnels

Robin Sommer robin at icir.org
Fri Apr 27 09:01:20 PDT 2012

On Fri, Apr 27, 2012 at 10:10 -0400, you wrote:

> Hah!  It's as if someone had been thinking about this eventuality from
> the beginning. :)

Who might that have been? :-)
> Oh, good point.  We really need signatures so that DPD would work on
> the proxied data.  Are you thinking that it would mostly break the TCP
> semantics of the signatures?

The signature engine uses the initial packet of a connection to
initialize state. Can't tell off the top of my head if we can easily
get around that. In the worst case, we'd need to fake a packet just
for that.

> Another approach to consider might be to back away from using ip-proto
> in signatures.  If SCTP does ever gain traction it would greatly
> complicate many signatures relying on the specific transport protocol.
> We could just indicate connection-oriented or packet-oriented
> signatures.

Would prefer to avoid the latter as it's not the signature that
determines whether matching is packet- or stream-orientedd (but the
transport protocol in use itself). The ip-proto doesn't do anything
else than mathcing the corresponding IP field and using it is
primarily an optimization to avoid payload matching when possible. So
just skipping it is fine I'd think.


Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the bro-dev mailing list