[Bro-Dev] #890: known-services hasty service detection
Bro Tracker
bro at tracker.bro-ids.org
Mon Oct 1 13:21:15 PDT 2012
#890: known-services hasty service detection
---------------------+------------------------
Reporter: jsiwek | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone: Bro2.2
Component: Bro | Version: git/master
Keywords: |
---------------------+------------------------
known-services.bro mostly treats a `protocol_confirmation` like a
"service" confirmation, but there's not a strict rule preventing an
analyzer from doing a `protocol_confirmation` when only the originator
side has been seen so far. Such a rule/convention could be made to fix
the problem, or maybe the script could change to be more flexible in how a
protocol confirmation gets promoted to a service confirmation like if the
user were able to define that in a function per-protocol.
Bill Jones was specifically having trouble with Teredo. From the mailing
list "I don't think TEREDO is working correctly. It is filling up the
known_services.log with entries for local host ports that I know are
closed just because there was a TEREDO packet sent to that port."
--
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/890>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list