[Bro] TEREDO bug
Jim Mellander
jmellander at lbl.gov
Mon Oct 1 15:57:43 PDT 2012
I've been looking at known-services.bro for other reasons, and found the
following line:
("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the
server talks.
I'm a bit surprised that only DNS requires that both sides of the
conversation talk - I would expect that in the case of UDP protocols
especially one would want to see both sides of the conversation.
On Mon, Oct 1, 2012 at 1:29 PM, Siwek, Jonathan Luke <jsiwek at illinois.edu>wrote:
>
> > I don't think TEREDO is working correctly. It is filling up the
> known_services.log with entries for local host ports that I know are
> closed just because there was a TEREDO packet sent to that port.
>
>
> It's not so much Teredo working incorrectly as it is the combination of
> how it works with the way known-services.bro decides something is a
> service, which could be improved.
>
> I've created a ticket to track the issue:
> http://tracker.bro-ids.org/bro/ticket/890
>
> Jon
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20121001/08c1072a/attachment.html
More information about the Bro
mailing list