Bro: detectiong OS probes
ashley thomas
athomas at unity.ncsu.edu
Thu Jul 12 14:59:33 PDT 2001
Hi,
Lot of OS probes works by sending a combination of flags like
SFU12, SF12 etc and seeing how the OS behaves. I was wondering how to detect
these kind of probes using bro .
I know it can be done easily in the TCPConnection::NextPacket()
where you have the syn,fin,rst and other flags in separate variables.
Probably i could look for those pattern call the Weird().
But is that the way to go about it ? Or should the detection be done
at the bro-script level.
thanks
Ashley
More information about the Bro
mailing list