[Bro-Dev] [JIRA] (BIT-883) Event for large number of extension headers

Jon Siwek (JIRA) jira at bro-tracker.atlassian.net
Tue Mar 17 07:49:00 PDT 2015

     [ https://bro-tracker.atlassian.net/browse/BIT-883?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jon Siwek updated BIT-883:
    Fix Version/s:     (was: 2.4)

> Event for large number of extension headers
> -------------------------------------------
>                 Key: BIT-883
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-883
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: sheharbano.k
>             Fix For: 2.5
> We may want to generate an event for when the number of extension headers in a packet exceed a threshold T. Within a single packet, extension headers can be chained on and on. However, we are limited by path MTU. In this case fragmentation comes to our rescue. So the number of extension headers that can be stuffed inside the same packet is limited by the fragmentation offset which is a 13 bytes field in the fragment extension header. This number is still very big. I think we should perform this check in the core because counting the number of extension headers for every single IPv6 packet is expensive at the scripting layer.

This message was sent by Atlassian JIRA

More information about the bro-dev mailing list