[Bro] Fragmentation and TCP overlapping Issues
Veronica Estrada
estrada.veronica at gmail.com
Tue Dec 7 05:23:29 PST 2010
Thank you very much for the help.
Some feedback:
1.
After including the filter -f "tcp or udp or icmp or (ip[6:2] & 0x3fff
!= 0)" the fragmentations events appeared. Now, I am re-processing the
files but loading only weird and matching unfragmented datagrams only
to accelerate the process.
Command:
bro -r $files -f (ip[6:2] & 0x3fff != 0)" weird
All fragment events are handle by flow weird. When is invoked flow
weird handler?
2.
Related with a retransmission inconsistency. I found the remix
inconsistency events in the notice file.
4.
"Traffic to ports for which there's an analyzer that uses the byte stream.
You can also control this using tcp_reassembler_ports_orig and
tcp_reassembler_ports_resp."
How can I redef these variables? I tried to redef this variables on
my start policy but all I get are errors ((port and 21): error,
arithmetic mixed with non-arithmetic).
const tcp_reassembler_ports_orig: set[port] = {} &redef;
const tcp_reassembler_ports_resp: set[port] = {} &redef;
Could you please illustrate us with an example, for instance include
port 21 & 80 in the tcp_reassebler_ports_orig?
More information about the Bro
mailing list