[Bro] rexmit_inconsistency?
Siwek, Jon
jsiwek at illinois.edu
Mon Jul 7 08:34:35 PDT 2014
On Jul 7, 2014, at 10:05 AM, Nicholas Weaver <nweaver at ICSI.Berkeley.EDU> wrote:
>
> I'm trying to build a test for packet injection, which Bro should complain about as it generates retransmission inconsistencies and/or data after RST or other TCP weirdnesses.
>
> Yet in my simple test trace (attached) and this simple policy script:
>
>
>
> event rexmit_inconsistency(c: connection, t1: string, t2: string){
> print "Inconsistency";
> print t1;
> print t2;
> }
>
> its not flagging.
>
> Is it because the data has already been ACKed and therefore the reassembler is no longer keeping track of the data?
Probably, but didn’t look close at the particular trace you gave — if it has been ACK’d, I don’t expect the reassembler to keep that data around and so can’t compare with the contents of a future overlapping segment.
- Jon
More information about the Bro
mailing list