[Bro-Dev] [JIRA] (BIT-1571) Connection summaries w/ IPv6 have poor readabiity
Adam Slagell (JIRA)
jira at bro-tracker.atlassian.net
Tue Apr 26 07:12:01 PDT 2016
[ https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Adam Slagell updated BIT-1571:
------------------------------
Attachment: text.html
Or don’t count it in the port statistics, but still count it in the protocol stats. So you would see a ton of protocol #1
But I think I like your suggestion better because it separates things like 53/tcp and 53/udp.
On Apr 26, 2016, at 9:04 AM, Vlad Grigorescu <vlad at grigorescu.org<mailto:vlad at grigorescu.org>> wrote:
I'm not sure I agree without additional context. ICMP exfil is a known technique. Wouldn't you want to know if all of a sudden, you started seeing gigs of ICMP? Or is there some other limitation that would make detecting this problematic?
What I would recommend instead is simply adding the protocols to the ports. So, instead of "top ports: 53, 80, 443, 8" you would see: "top ports: 53/udp, 80/tcp, 443/tcp, 8/icmp"
Would this be sufficient to solve the ICMP/port number confusion?
On Tue, Apr 26, 2016 at 8:07 AM, Adam Slagell (JIRA) <jira at bro-tracker.atlassian.net<mailto:jira at bro-tracker.atlassian.net>> wrote:
[ https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25900#comment-25900<https://urldefense.proofpoint.com/v2/url?u=https-3A__bro-2Dtracker.atlassian.net_browse_BIT-2D1571-3Fpage-3Dcom.atlassian.jira.plugin.system.issuetabpanels-3Acomment-2Dtabpanel-26focusedCommentId-3D25900-23comment-2D25900&d=CwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=gMEsgy9kNQo7aTfyIJsOSuw4Z57hfQyz6uV2H4S9PvE&m=beorgX6UQRKd6PT0TlIH2AguYVgqol2BXwnYJL7xcTg&s=ayfCl68oBOLFmdONWN8cXNOKCfvTHTccw8hr3HkQUmE&e=> ]
Adam Slagell commented on BIT-1571:
-----------------------------------
Talking with Seth, he agrees that it probably just makes more sense to leave ICMP out of the connection summaries.
--
This message was sent by Atlassian JIRA
(v1000.5.0#72002)
_______________________________________________
bro-dev mailing list
bro-dev at bro.org<mailto:bro-dev at bro.org>
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev<https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.icsi.berkeley.edu_mailman_listinfo_bro-2Ddev&d=CwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=gMEsgy9kNQo7aTfyIJsOSuw4Z57hfQyz6uV2H4S9PvE&m=beorgX6UQRKd6PT0TlIH2AguYVgqol2BXwnYJL7xcTg&s=4IUiD_rshKiWgExIpRf1sV9VOAU5kKwazUEsgKMM9SY&e=>
_______________________________________________
bro-dev mailing list
bro-dev at bro.org<mailto:bro-dev at bro.org>
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
------
Adam J. Slagell
Chief Information Security Officer
Director, Cybersecurity Division
National Center for Supercomputing Applications
University of Illinois at Urbana-Champaign
www.slagell.info<http://www.slagell.info>
"Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure."
> Connection summaries w/ IPv6 have poor readabiity
> -------------------------------------------------
>
> Key: BIT-1571
> URL: https://bro-tracker.atlassian.net/browse/BIT-1571
> Project: Bro Issue Tracker
> Issue Type: Improvement
> Components: BroControl
> Affects Versions: 2.4
> Reporter: Adam Slagell
> Assignee: Daniel Thayer
> Priority: Low
> Fix For: 2,5
>
> Attachments: [Bro] Connection summary from 15_53_27-16_00_00.txt, text.html
>
>
> The variable length of IPv6 and being mixed with IPv4 causes alignment issues with the white space in the connection summary emails.
--
This message was sent by Atlassian JIRA
(v1000.5.0#72002)
More information about the bro-dev
mailing list