[Bro] truncated packets
Vlad Grigorescu
vladg at cmu.edu
Wed Aug 7 11:37:32 PDT 2013
Disabling checksum verification won't help much. You'll end up getting protocol violations because the protocol truncates so quickly. 54 bytes really doesn't give you much to work with. I assume you're just interested in getting connection logs?
--Vlad
"The Bro list is public record anyway."
On Aug 7, 2013, at 1:30 PM, Slagell, Adam J <slagell at illinois.edu> wrote:
> See http://comments.gmane.org/gmane.comp.security.detection.bro/3168
>
> On Aug 7, 2013, at 1:29 PM, Adam J. Slagell <slagell at illinois.edu> wrote:
>
>> You may try turning off the checksum verification.
>>
>> On Aug 7, 2013, at 1:13 PM, Laleh Arshadi <la_arshadi at yahoo.com>
>> wrote:
>>
>>> Dear All,
>>>
>>> I know that Bro can analyze offline traffic with its -r option but I wonder if it can analyze the traffic contains truncated packets? I remember a few years ago when I run old versions of Bro on the MAWI traffic, it didn't work properly since the packets were all truncated at 54 bytes. Maybe this has changed in the newer versions?
>>>
>>> Regards
>>> Laleh
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>> ------
>>
>> Adam J. Slagell
>> Chief Information Security Officer
>> Sr. Research Scientist
>> National Center for Supercomputing Applications
>> University of Illinois at Urbana-Champaign
>> www.slagell.info
>>
>> "Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure."
>
> ------
>
> Adam J. Slagell
> Chief Information Security Officer
> Sr. Research Scientist
> National Center for Supercomputing Applications
> University of Illinois at Urbana-Champaign
> www.slagell.info
>
> "Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure."
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list