[Bro] Event for syn-ack packet
Sheharbano Khattak
sheharbano.k at gmail.com
Wed May 23 09:37:48 PDT 2012
I have a list of C&C servers and i want to detect which hosts in our
network talk to them. The first case is simple, check all outbound
connections in which the destination is C&C IP. In the second case when a
C&C server takes the initiative and tries to connect to an internal host.
In some cases, it may not proceed to establishing a full connection. Hear
the syn-ack and leave it at that. Come back later or maybe that's it's idea
of 'i am at your service' messages. I need this event for the second case
as the connection may never be established at all, at least for the time
for which i have pcap trace.
On Wed, May 23, 2012 at 9:29 PM, Seth Hall <seth at icir.org> wrote:
>
> On May 23, 2012, at 6:05 AM, Sheharbano Khattak wrote:
>
> > The reply could be as short as a syn-ack. The event
> connection_established is too late as it doesn't matter whether the
> connection was established.
>
> Are you trying to reduce your latency in detecting something? I guess I
> don't understand why connection_established is too late.
>
> .Seth
>
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
>
>
--
Sheharbano Khattak
http://etheryell.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20120523/a2aeed83/attachment.html
More information about the Bro
mailing list