[Bro] rexmit_inconsistency?
Nicholas Weaver
nweaver at ICSI.Berkeley.EDU
Mon Jul 7 08:05:39 PDT 2014
I'm trying to build a test for packet injection, which Bro should complain about as it generates retransmission inconsistencies and/or data after RST or other TCP weirdnesses.
Yet in my simple test trace (attached) and this simple policy script:
-------------- next part --------------
A non-text attachment was scrubbed...
Name: inject.tcpdump
Type: application/octet-stream
Size: 14684 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140707/07453158/attachment.obj
-------------- next part --------------
event rexmit_inconsistency(c: connection, t1: string, t2: string){
print "Inconsistency";
print t1;
print t2;
}
its not flagging.
Is it because the data has already been ACKed and therefore the reassembler is no longer keeping track of the data?
--
Nicholas Weaver it is a tale, told by an idiot,
nweaver at icsi.berkeley.edu full of sound and fury,
510-666-2903 .signifying nothing
PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140707/07453158/attachment.bin
More information about the Bro
mailing list