[Bro] UDP flow anomaly

Robin Sommer robin at icir.org
Tue Sep 18 20:25:10 PDT 2007


On Tue, Sep 18, 2007 at 15:39 +0800, CS Lee wrote:

> The script can locate the 210.79.186.143 but not 200.83.176.80 and
> 89.37.157.114. That lead us to believe that bro understand the flow in
> semantic level. In fact if we do the matching to 18+19 = 37 bytes,

That's right, the size in the endpoint record is cumulative and 
reflects the total size of the flow so far. 

I see two options for you:

- you could remember the flows' size with every udp_reply and then
calculate the increase when the next udp_reply comes in. 

- you could use the new_packet() event which gives you the size for
each packet.

None of the two approaches is very nice and both can also turn out to
be pretty expensive. The main problem here is that Bro isn't really
well-suited for expressing policies at the level of indivdual packets
as it tries to abstract from packets o high-level activity as much as
possible.

Robin

-- 
Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org 
LBNL/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org



More information about the Bro mailing list