[Bro-Dev] #522: Event to report non TCP/UDP/ICMP packets

Bro Tracker bro at tracker.bro-ids.org
Fri Mar 2 18:22:10 PST 2012

#522: Event to report non TCP/UDP/ICMP packets
  Reporter:  gregor   |      Owner:  jsiwek
      Type:  Problem  |     Status:  assigned
  Priority:  Normal   |  Milestone:  Bro2.1
 Component:  Bro      |    Version:  git/master
Resolution:           |   Keywords:  IPv6

Comment (by jsiwek):

 In [eb9f686bb20fc1fe5021cd0b92eea3b5a147a1cd/bro]:
 #!CommitTicketReference repository="bro"
 Add handling for IPv6 extension header chains (addresses #531)

 - The script-layer 'pkt_hdr' type is extended with a new 'ip6' field
   representing the full IPv6 header chain.

 - The 'new_packet' event is now raised for IPv6 packets (addresses #523)

 - A new event called 'ipv6_ext_header' is raised for any IPv6 packet
   containing extension headers.

 - A new event called 'esp_packet' is raised for any packets using ESP
   ('new_packet' and 'ipv6_ext_header' events provide connection info,
   but that info can't be provided here since the upper-layer payload
   is encrypted).

 - The 'unknown_protocol' weird is now raised more reliably when Bro
   sees a transport protocol or IPv6 extension header it can't handle.
   (addresses #522)

 Still need to do IPv6 fragment reassembly and needs more testing.

Ticket URL: <http://tracker.bro-ids.org/bro/ticket/522#comment:2>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list