Few questions...
Ayyasamy, Senthilkumar (UMKC-Student)
saq66 at umkc.edu
Thu Jul 25 16:11:50 PDT 2002
> > I could not find any bro mailing list archive.
>
> (it's available as a single flat file [:-(] by sending "get
> bro archive"
> in the body of a message mailed to majordomo at lbl.gov)
Thanks !!! I will be really useful for me.
> > Does bro detects illegal TCP acknowledgements and
> > retransmissions which i could not see using ordinary
> > dump utility?
>
> Depends what you mean by "illegal". It detects acknowledgments above
> sequence holes, and inconsistent TCP retransmission.
> Unfortunately, when
> looking at a large volume of traffic, these show up due to
> various things
> being broken (as mentioned in the Bro paper), so their presence isn't
> a useful indicator of an attack.
Have you observed it in a practical network?
-senthil
More information about the Bro
mailing list