[Bro] udp_reply event instead of supposed udp_request event
Vern Paxson
vern at icir.org
Fri Feb 11 08:41:19 PST 2005
> my question is: why does bro recognizes udp_reply events and not udp_request
> events? the packets were only sent from one host to another and there
> were no packets in the opposite direction.
>
> i know that udp packets from port 53 are often dns replies but an
> assumption which is made because of the application layer protocol
> shouldn't have any impact on events on the transport protocol layer...
Shouldn't - yes, that would be ideal. But in complex environments where
you don't necessarily see both sides of a request/response (due to reordering
caused by dual NICs, or multipathing, or drops, or "cold start" where the
request happened before Bro began running), it's proven beneficial to infer
directionality based on well-known ports.
It would be reasonable to add a script variable that turns this off, if
you want to contribute a patch.
Vern
More information about the Bro
mailing list