[Bro] udp_reply event instead of supposed udp_request event
Christian Kreibich
christian at whoop.org
Fri Feb 11 07:02:21 PST 2005
On Fri, 2005-02-11 at 14:34 +0100, Christoph Goeldi wrote:
>
> my question is: why does bro recognizes udp_reply events and not udp_request
> events? the packets were only sent from one host to another and there
> were no packets in the opposite direction.
It's hardcoded. Sessions.cc, around 1247.
> i know that udp packets from port 53 are often dns replies but an
> assumption which is made because of the application layer protocol
> shouldn't have any impact on events on the transport protocol layer...
Bro assumes that UDP port 53 is DNS anyway, so assuming that traffic
sourced from port 53 is a DNS reply doesn't make much of a difference.
You could make that flip in Sessions.cc policy-controlled if it really
gets in your way ...
Cheers,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list