[Bro] TEREDO bug
Seth Hall
seth at icir.org
Mon Oct 1 18:22:20 PDT 2012
On Oct 1, 2012, at 6:57 PM, Jim Mellander <jmellander at LBL.GOV> wrote:
> I've been looking at known-services.bro for other reasons, and found the following line:
>
> ("DNS" in c$service && c$resp$size == 0) ) # for dns, require that the server talks.
>
> I'm a bit surprised that only DNS requires that both sides of the conversation talk - I would expect that in the case of UDP protocols especially one would want to see both sides of the conversation.
DNS is the only UDP service that is included in known-services.log right now. For example, since we only support UDP Syslog at the moment and syslog servers never send any data and can't be confirmed it's not included.
I suspect this is another area where we could improve the semantics of ProtocolViolation and ProtocolConfirmation because the DNS protocol is confirmed for a single parsed DNS message so it calls the ProtocolConfirmation method for the request and the response which is pretty vague as a confirmation.
I believe that most of the TCP analyzers require some amount of conversation back and forth between the server and client prior to confirming the protocol.
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Bro
mailing list