[Bro-Dev] flipped connections?
Seth Hall
seth at icir.org
Fri Jan 4 19:35:38 PST 2013
Would it make sense for us to begin indicating if Bro "flipped" a connection in the conn.log? Occasionally I see stuff that shows up in various places (right now I'm seeing it in weird.log) and might just be a host doing a syn scan with src port 80, but Bro will flip that due to the likely_servers_ports variable. It seems to me like an additional boolean value in conn.log would be helpful to know if a connection was flipped or not.
Right now though this information doesn't seem to be available at the script land anywhere. Am I correct on that?
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20130104/5d2554ef/attachment.bin
More information about the bro-dev
mailing list