[Bro] Hooking into source/destination heuristic
Jim Mellander
jmellander at lbl.gov
Tue Jan 3 09:09:36 PST 2012
Happy New Year, all!
I have a situation where Bro misidentifies the source and destination
of some connections - this occurs during packet loss situations, where
the SYN and SYN/ACK packets are not seen by Bro. Is there a way to
hook into the heuristic for establishing the source/destination of the
connection, so that we can employ local site knowledge of the
connection in order to accurately characterize the connection
(hopefully at the scripting level)? Can I hook into the
connection_established event, and switch source/destination in the
connection record, or are bad things likely to happen as a
consequence?
Thanks in advance,
Jim Mellander
NERSC Cybersecurity
510-486-7204
More information about the Bro
mailing list