RE: Few questions...
by Ayyasamy, Senthilkumar (UMKC-Student)
> > I could not find any bro mailing list archive.
> (it's available as a single flat file [:-(] by sending "get
> bro archive"
> in the body of a message mailed to majordomo(a)lbl.gov)
Thanks !!! I will be really useful for me.
> > Does bro detects illegal TCP acknowledgements and
> > retransmissions which i could not see using ordinary
> > dump utility?
> Depends what you mean by "illegal". It detects acknowledgments above
> sequence holes, and inconsistent TCP retransmission.
> Unfortunately, when
> looking at a large volume of traffic, these show up due to
> various things
> being broken (as mentioned in the Bro paper), so their presence isn't
> a useful indicator of an attack.
Have you observed it in a practical network?