[Bro] UDP flow anomaly

CS Lee geek00l at gmail.com
Thu Sep 20 04:32:11 PDT 2007


Hi Robin,

Thanks, actually it just need to check if the packet that replying is with
18 bytes length so I guess its good to go.

Back to word, I would like to know if anyone working on skype policy script,
in case there's  merge of same interest.



On 9/19/07, Robin Sommer <robin at icir.org> wrote:
>
>
> On Tue, Sep 18, 2007 at 15:39 +0800, CS Lee wrote:
>
> > The script can locate the 210.79.186.143 but not 200.83.176.80 and
> > 89.37.157.114. That lead us to believe that bro understand the flow in
> > semantic level. In fact if we do the matching to 18+19 = 37 bytes,
>
> That's right, the size in the endpoint record is cumulative and
> reflects the total size of the flow so far.
>
> I see two options for you:
>
> - you could remember the flows' size with every udp_reply and then
> calculate the increase when the next udp_reply comes in.
>
> - you could use the new_packet() event which gives you the size for
> each packet.
>
> None of the two approaches is very nice and both can also turn out to
> be pretty expensive. The main problem here is that Bro isn't really
> well-suited for expressing policies at the level of indivdual packets
> as it tries to abstract from packets o high-level activity as much as
> possible.
>
> Robin
>
> --
> Robin Sommer * Phone +1 (510) 931-5555 * robin at icir.org
> LBNL/ICSI    * Fax   +1 (510) 666-2956 *   www.icir.org
>



-- 
Best Regards,

CS Lee<geekooL[at]gmail.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20070920/901dd9fd/attachment.html 


More information about the Bro mailing list