[Bro] couple of questions
jbabbin at comcast.net
jbabbin at comcast.net
Tue Mar 21 06:57:02 PST 2006
List,
I have a couple of questions that I can't seem to figure out.
1) Brian - Thanks for the SSL patch
Once enabled I don't see any way of filtering out hosts from the non-ssl traffic alarm. For example, I have several custom applications that use that port for their traffic...don't ask...so I need to be able to filter them out of the alarms like below.
"1141848057.399932 WeirdActivity ** 192.x.x.x/48612 > 206.x.x.x/https: SSL: Skipping connection (not an SSL connection?!)!"
The problem seems to be that the detection of non-ssl traffic is done in the source SSLProxy engine and I don't really want to be recompiling every time I need to add another host. Ideas?
2) Is is possible in a policy file to perform a size comparison on a string?
For example, if you wanted to see if a filename was longer than a certain length. How would you sizeof a string value?
Thanks in advance,
Jake Babbin
More information about the Bro
mailing list