[Bro] connection_established for udp
Siwek, Jonathan Luke
jsiwek at illinois.edu
Fri Apr 19 14:05:49 PDT 2013
>> If you can wait until the internal state of UDP "connections" in Bro times out due to inactivity (default of "udp_inactivity_timeout" variable is 1 min), would it work to handle the "connection_state_remove" event and check for a non-zero c$resp$size ?
>
> That would work ok for a protocol like DNS, but not as well when the
> 4-tuples are long-lived. It also makes IDS evasion really easy for a
> custom protocol running over UDP.
How about also handling "new_connection" and polling that connection periodically for a non-zero c$resp$size ? That may be more expensive, though.
The base/protocols/conn/polling.bro script provides a generic way to do polling via events, and an example use of it can be found in base/protocols/ftp/gridftp.bro.
- Jon
More information about the Bro
mailing list