[Bro-Dev] [JIRA] (BIT-1571) Connection summaries w/ IPv6 have poor readabiity
Vlad Grigorescu
vlad at grigorescu.org
Tue Apr 26 07:04:24 PDT 2016
I'm not sure I agree without additional context. ICMP exfil is a known
technique. Wouldn't you want to know if all of a sudden, you started seeing
gigs of ICMP? Or is there some other limitation that would make detecting
this problematic?
What I would recommend instead is simply adding the protocols to the ports.
So, instead of "top ports: 53, 80, 443, 8" you would see: "top ports:
53/udp, 80/tcp, 443/tcp, 8/icmp"
Would this be sufficient to solve the ICMP/port number confusion?
On Tue, Apr 26, 2016 at 8:07 AM, Adam Slagell (JIRA) <
jira at bro-tracker.atlassian.net> wrote:
>
> [
> https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25900#comment-25900
> ]
>
> Adam Slagell commented on BIT-1571:
> -----------------------------------
>
> Talking with Seth, he agrees that it probably just makes more sense to
> leave ICMP out of the connection summaries.
>
> > Connection summaries w/ IPv6 have poor readabiity
> > -------------------------------------------------
> >
> > Key: BIT-1571
> > URL: https://bro-tracker.atlassian.net/browse/BIT-1571
> > Project: Bro Issue Tracker
> > Issue Type: Improvement
> > Components: BroControl
> > Affects Versions: 2.4
> > Reporter: Adam Slagell
> > Assignee: Daniel Thayer
> > Priority: Low
> > Fix For: 2,5
> >
> > Attachments: [Bro] Connection summary from 15_53_27-16_00_00.txt
> >
> >
> > The variable length of IPv6 and being mixed with IPv4 causes alignment
> issues with the white space in the connection summary emails.
>
>
>
> --
> This message was sent by Atlassian JIRA
> (v1000.5.0#72002)
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160426/dd3cec63/attachment.html
More information about the bro-dev
mailing list