True, I'm just basing it off of Bro's mechanism to turn some UDP traffic
into "connections" that fit into its model.
I guess what I'm looking for is a connection_state_add to go with the
existing connection_state_remove. It wouldn't be UDP-specific, but it might
fit the current event model a bit better.
On Mon, Mar 5, 2018 at 4:55 AM, Jan Grashöfer <jan.grashoefer(a)gmail.com>
On 02/03/18 03:52, Vlad Grigorescu wrote:
I would like to propose a new event in Bro, one
that would fire when a
connection is established (i.e. a response is
observed within some time
frame after a request is seen). Basically, the UDP equivalent of
Does anyone have thoughts about this?
I definitely see the need to correlate request-response-pairs for UDP
protocols but as UDP is *connectionless*, the term UDP connection sounds
very strange to me. Maybe a general notion of request-response protocols
could be established. Corresponding protocols could trigger general
events. For some protocols there might be even a session concept.
bro-dev mailing list