[Bro-Dev] [JIRA] (BIT-1571) Connection summaries w/ IPv6 have poor readabiity

Slagell, Adam J slagell at illinois.edu
Tue Apr 26 07:10:17 PDT 2016

Or don’t count it in the port statistics, but still count it in the protocol stats. So you would see a ton of protocol #1

But I think I like your suggestion better because it separates things like 53/tcp and 53/udp.

On Apr 26, 2016, at 9:04 AM, Vlad Grigorescu <vlad at grigorescu.org<mailto:vlad at grigorescu.org>> wrote:

I'm not sure I agree without additional context. ICMP exfil is a known technique. Wouldn't you want to know if all of a sudden, you started seeing gigs of ICMP? Or is there some other limitation that would make detecting this problematic?

What I would recommend instead is simply adding the protocols to the ports. So, instead of "top ports: 53, 80, 443, 8" you would see: "top ports: 53/udp, 80/tcp, 443/tcp, 8/icmp"

Would this be sufficient to solve the ICMP/port number confusion?

On Tue, Apr 26, 2016 at 8:07 AM, Adam Slagell (JIRA) <jira at bro-tracker.atlassian.net<mailto:jira at bro-tracker.atlassian.net>> wrote:

    [ https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25900#comment-25900<https://urldefense.proofpoint.com/v2/url?u=https-3A__bro-2Dtracker.atlassian.net_browse_BIT-2D1571-3Fpage-3Dcom.atlassian.jira.plugin.system.issuetabpanels-3Acomment-2Dtabpanel-26focusedCommentId-3D25900-23comment-2D25900&d=CwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=gMEsgy9kNQo7aTfyIJsOSuw4Z57hfQyz6uV2H4S9PvE&m=beorgX6UQRKd6PT0TlIH2AguYVgqol2BXwnYJL7xcTg&s=ayfCl68oBOLFmdONWN8cXNOKCfvTHTccw8hr3HkQUmE&e=> ]

Adam Slagell commented on BIT-1571:

Talking with Seth, he agrees that it probably just makes more sense to leave ICMP out of the connection summaries.

> Connection summaries w/ IPv6 have poor readabiity
> -------------------------------------------------
>                 Key: BIT-1571
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1571<https://urldefense.proofpoint.com/v2/url?u=https-3A__bro-2Dtracker.atlassian.net_browse_BIT-2D1571&d=CwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=gMEsgy9kNQo7aTfyIJsOSuw4Z57hfQyz6uV2H4S9PvE&m=beorgX6UQRKd6PT0TlIH2AguYVgqol2BXwnYJL7xcTg&s=G1V9yTqJu9EsCXN23xZ1E-ydwqADT1YJBKqzJkNqhZM&e=>
>             Project: Bro Issue Tracker
>          Issue Type: Improvement
>          Components: BroControl
>    Affects Versions: 2.4
>            Reporter: Adam Slagell
>            Assignee: Daniel Thayer
>            Priority: Low
>             Fix For: 2,5
>         Attachments: [Bro] Connection summary from 15_53_27-16_00_00.txt
> The variable length of IPv6 and being mixed with IPv4 causes alignment issues with the white space in the connection summary emails.

This message was sent by Atlassian JIRA
bro-dev mailing list
bro-dev at bro.org<mailto:bro-dev at bro.org>

bro-dev mailing list
bro-dev at bro.org<mailto:bro-dev at bro.org>


Adam J. Slagell
Chief Information Security Officer
Director, Cybersecurity Division
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign

"Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20160426/6446b6c0/attachment-0001.html 

More information about the bro-dev mailing list