[Bro] truncated packets

Laleh Arshadi la_arshadi at yahoo.com
Wed Aug 7 11:41:32 PDT 2013 



Disabling checksum verification won't help much. You'll end up getting protocol violations because the protocol truncates so quickly. 54 bytes really doesn't give you much to work with. I assume you're just interested in getting connection logs?

  --Vlad

Yes... exactly. Is it possible to do so?
 
Laleh



On Aug 7, 2013, at 1:30 PM, Slagell, Adam J <slagell at illinois.edu> wrote:

> See http://comments.gmane.org/gmane.comp.security.detection.bro/3168
> 
> On Aug 7, 2013, at 1:29 PM, Adam J. Slagell <slagell at illinois.edu> wrote:
> 
>> You may try turning off the checksum verification.
>> 
>> On Aug 7, 2013, at 1:13 PM, Laleh Arshadi <la_arshadi at yahoo.com>
>>  wrote:
>> 
>>> Dear All,
>>>  
>>> I know that Bro can analyze offline traffic with its -r option but I wonder if it can analyze the traffic contains truncated packets? I remember a few years ago when I run old versions of Bro on the MAWI traffic, it didn't work properly since the packets were all truncated at 54 bytes. Maybe this has changed in the newer versions?
>>>  
>>> Regards
>>> Laleh
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> 
>> ------
>> 
>> Adam J. Slagell
>> Chief Information Security Officer
>> Sr. Research Scientist
>> National Center for Supercomputing Applications
>> University of Illinois at Urbana-Champaign
>> www.slagell.info
>> 
>> "Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." 
> 
> ------
> 
> Adam J. Slagell
> Chief Information Security Officer
> Sr. Research Scientist
> National Center for Supercomputing Applications
> University of Illinois at Urbana-Champaign
> www.slagell.info
> 
> "Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure." 
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20130807/5f6e58b1/attachment.html

More information about the Bro mailing list