[Bro-Dev] #890: known-services hasty service detection

Bro Tracker bro at tracker.bro-ids.org
Mon Oct 1 13:21:15 PDT 2012


#890: known-services hasty service detection
---------------------+------------------------
 Reporter:  jsiwek   |      Owner:
     Type:  Problem  |     Status:  new
 Priority:  Normal   |  Milestone:  Bro2.2
Component:  Bro      |    Version:  git/master
 Keywords:           |
---------------------+------------------------
 known-services.bro mostly treats a `protocol_confirmation` like a
 "service" confirmation, but there's not a strict rule preventing an
 analyzer from doing a `protocol_confirmation` when only the originator
 side has been seen so far.  Such a rule/convention could be made to fix
 the problem, or maybe the script could change to be more flexible in how a
 protocol confirmation gets promoted to a service confirmation like if the
 user were able to define that in a function per-protocol.

 Bill Jones was specifically having trouble with Teredo.  From the mailing
 list "I don't think  TEREDO is working correctly.  It is filling up the
 known_services.log with entries for local host ports that I know are
 closed just because there was a TEREDO packet sent to that port."

-- 
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/890>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker



More information about the bro-dev mailing list