Few questions...
Vern Paxson
vern at icir.org
Thu Jul 25 16:03:37 PDT 2002
> I could not find any bro mailing list archive.
(it's available as a single flat file [:-(] by sending "get bro archive"
in the body of a message mailed to majordomo at lbl.gov)
> Does bro detects illegal TCP acknowledgements and
> retransmissions which i could not see using ordinary
> dump utility?
Depends what you mean by "illegal". It detects acknowledgments above
sequence holes, and inconsistent TCP retransmission. Unfortunately, when
looking at a large volume of traffic, these show up due to various things
being broken (as mentioned in the Bro paper), so their presence isn't
a useful indicator of an attack.
Vern
More information about the Bro
mailing list