[Bro] Comparison data between bro-1.4prerelease and bro-1.2.1.
Luca Renaud
renaud.luca at gmail.com
Mon Sep 22 11:54:37 PDT 2008
I ran the two bro versions with 6 tcpdump files and registered the
differences
on the following table:
tcpdumpfile1,tcpdumpfile2,tcpdumpfile3,...,tcpdumpfile6
1.2-1.4,1.2-1.4,1.2-1.4,1.2-1.4,...,1.2-1.4
spontaneous_RST 15-1,4-3,4-1,11-19,32-1,56-1
spontaneous_FIN 10-1,8-0,9-0,85-55,25-2,71-1
window_recision
26-26,29-29,0-0,48-48,0-0,52-52
SYN_seq_jump 1-1,0-0,0-0,1-1,0-0,0-0
SYN_inside_connection 1-1,0-0,0-0,0-0,0-0,0-0
active_connection_reuse 1-0,0-0,0-0,0-0,0-0,0-0
unsolicited_SYN_response 1-0,7-7,0-0,1-1,0-0,0-0
SYN_after_close 0-1,0-0,0-0,0-0,0-0,0-0
above_hole_data_without_any_acks 0-0,1-1,0-0,0-0,0-0,0-0
data_before_established 0-0,0-0,0-0,1-1,0-0,0-0
So,the difference is essentially around spontaneous_RST and spontaneous_FIN
weird events.The dump files are for webbrowsing only traffic.I don't know if
this has any practical interest but that's what I get using
bro-1.4prerelease,for
this very small sample and very limited network protocols.
The command line I use:
export BROPATH=/usr/local/bro-1.2.1/policy:/usr/local/bro-1.2.1/site
/usr/local/bro-1.2.1/bin/bro -r tcpdumpfile
The same for bro-1.4prerelease,but here the bro environment is set up for
the
directories where the policy and sig files are:
/usr/local/bro1.4prerelease/share/bro:/usr/local/bro1.4prerelease/share/bro/sigs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20080922/59531cac/attachment.html
More information about the Bro
mailing list