[Bro] connection_established for udp

David Mandelberg david at mandelberg.org
Fri Apr 19 13:46:32 PDT 2013


On Fri, 2013-04-19 at 20:33 +0000, Siwek, Jonathan Luke wrote:
> > I'd like to know whenever a new server appears on a network. Ideally,
> > this would be whenever a host calls listen() on a connection-oriented
> > socket or bind() on a datagram socket. In practice, it seems to work
> > well enough to track the responding hosts and ports of established
> > connections or datagram pseudo-connections where the "server" has
> > responded. This doesn't work for UDP servers that don't respond using
> > the same 4-tuple, but it works for DNS and a few other common UDP server
> > types.
> 
> If you can wait until the internal state of UDP "connections" in Bro times out due to inactivity (default of "udp_inactivity_timeout" variable is 1 min), would it work to handle the "connection_state_remove" event and check for a non-zero c$resp$size ?

That would work ok for a protocol like DNS, but not as well when the
4-tuples are long-lived. It also makes IDS evasion really easy for a
custom protocol running over UDP.

-- 
David Eric Mandelberg / dseomn
http://david.mandelberg.org/
Fri Apr 19 16:37:38 EDT 2013
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130419/eb4ec557/attachment.bin 


More information about the Bro mailing list