[Bro] udp_reply event instead of supposed udp_request event
Ruoming Pang
rpang at CS.Princeton.EDU
Fri Feb 11 11:46:16 PST 2005
>> my question is: why does bro recognizes udp_reply events and not
>> udp_request
>> events? the packets were only sent from one host to another and there
>> were no packets in the opposite direction.
>
> It's hardcoded. Sessions.cc, around 1247.
Yes, Bro currently tries to guess which port is the service port,
because it may not see the complete connection, for example, it may
miss the initial DNS request. What Bro really should do is to look at
the packet contents in addition to port numbers in its guessing. We
have been puzzled, too, by non-DNS packets with source port 53 (the
source port was probably selected to fool firewalls). I don't know if
anyone is working on this kind of content-based port selection, but for
now, the problem can be circumvented by tweaking
NetSessions::IsLikelyServerPort().
Ruoming
More information about the Bro
mailing list