new bro "CURRENT" release - 0.8a57
Vern Paxson
vern at icir.org
Fri Dec 12 10:51:32 PST 2003
> The changes notes above don't mention the <addl> field. Is that just
> an oversight in the notes,
Yes, just an oversight in the notes.
> Will <service> still contain port numbers? Or will "other-nnnnn" become
> simply "other"? (that would be my preference)
Good point. As implemented, it continues to be other-nnnnn, but I think
just plain "other" makes more sense, since we now can finally cleanly separate
the notion of service from the notion of port.
> Although I don't know what the "neighbor net" U flag even means, I wonder
> if this is the time to drop that, as the BRO manual says the whole notion
> is historical.
The notion of "neighbor" is still used a bit in the policy scripts
(in scan.bro, in particular - different rules apply to scan detection
for activity from neighbors than from others), but arguably this should
be structured in a different fashion (a general notion of networks that
are allowed to scan), and in fact this has bitten us operationally in
the past, when a infected neighbor scanned us.
Thanks for the suggestions!
Vern
More information about the Bro
mailing list