[Bro] connection_established for udp
David Mandelberg
david at mandelberg.org
Fri Apr 19 13:12:43 PDT 2013
On Fri, 2013-04-19 at 12:39 -0700, Robin Sommer wrote:
> On Tue, Apr 16, 2013 at 18:03 -0400, you wrote:
>
> > Is there an equivalent of event connection_established for UDP?
> > I.e., an event that is raised once datagrams are seen in both
> > directions for a given 4-tuple.
>
> No, and I wouldn't be sure about the semantics of seeing something in
> both direction as that's not required for UDP. What are you trying to
> do?
I'd like to know whenever a new server appears on a network. Ideally,
this would be whenever a host calls listen() on a connection-oriented
socket or bind() on a datagram socket. In practice, it seems to work
well enough to track the responding hosts and ports of established
connections or datagram pseudo-connections where the "server" has
responded. This doesn't work for UDP servers that don't respond using
the same 4-tuple, but it works for DNS and a few other common UDP server
types.
--
David Eric Mandelberg / dseomn
http://david.mandelberg.org/
Fri Apr 19 16:02:16 EDT 2013
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130419/8aba9f72/attachment.bin
More information about the Bro
mailing list