[Bro-Dev] UDP connection_established event?
Vlad Grigorescu
vlad at grigorescu.org
Mon Mar 5 07:46:16 PST 2018
True, I'm just basing it off of Bro's mechanism to turn some UDP traffic
into "connections" that fit into its model.
I guess what I'm looking for is a connection_state_add to go with the
existing connection_state_remove. It wouldn't be UDP-specific, but it might
fit the current event model a bit better.
On Mon, Mar 5, 2018 at 4:55 AM, Jan Grashöfer <jan.grashoefer at gmail.com>
wrote:
> On 02/03/18 03:52, Vlad Grigorescu wrote:
> > I would like to propose a new event in Bro, one that would fire when a
> UDP
> > connection is established (i.e. a response is observed within some time
> > frame after a request is seen). Basically, the UDP equivalent of
> > connection_established.
> >
> > [...]
> >
> > Does anyone have thoughts about this?
>
> I definitely see the need to correlate request-response-pairs for UDP
> protocols but as UDP is *connectionless*, the term UDP connection sounds
> very strange to me. Maybe a general notion of request-response protocols
> could be established. Corresponding protocols could trigger general
> events. For some protocols there might be even a session concept.
>
> Jan
> _______________________________________________
> bro-dev mailing list
> bro-dev at bro.org
> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20180305/920097de/attachment.html
More information about the bro-dev
mailing list