Hi,
a would make a NIDS, for that i must construct a connections, one conection begin with Syn+Syn_Ack+Ack+......+Ack+.......Fin_Ack+ack+Fin_ack+ack.
I don't find an exemple, how make FLAG, flag can be S0, RSTO, SF, REJ.
Can you give a documentation for construction of connections and attributs like FLAG, Duration, .....
Thank you verry mutch
_____________________________________________________________________________
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail
Dear All,
I added some files under the /src directory and modified Makefile.am
to reflect the revision. I tried to use the 'autoconf' commands (e.g.,
autoscan and automake, etc.) to generate Makefile.in, as suggested on
many on-line manuals, but failed to make it. Unlike the cases on these
on-line manuals, Bro seems not to need 'configure.in' under the /src
directory, but automake will complain of this. I am not so familiar with
the autoconf tools. Would anyone please show me the pointer to solve
the problem? Thanks.
Best regards,
--
Po-Ching Lin <pclin(a)cis.nctu.edu.tw>
Greetings.
I have a general TCP RST handling question.
Assuming the state of a connection is established, and data has been
transferred to and fro
and then the server sends a RST packet (or two) [1] to the client and
the session ends soon after.
>From an IDS/IPS standpoint,
- should the session be transitioned to closed upon seeing the first RST ?
- if not, is the session marked as SEEN_RST or something and timed out ?
>From an IPS point of view (which does not allow stateless traffic)
knowing when to remove the connection is critical. is'nt it ?
I would like to know from bro standpoint and in general.
Thanks a lot for any information/viewpoint.
-Ashley
[1] Why does the server send two RST as in the example below --
15:47:05.990438 192.168.0.1.8080 > 192.168.1.1.46615: R 1:1(0) ack
10500305 win 32768 <nop,nop,timestamp 44983385 1113850335> (DF)
15:47:05.990499 192.168.0.1.8080 > 192.168.1.1.46615: R
4223569903:4223569903(0) win 0 (DF)
Hi,
sorry, I dont understand your question so I forwarded it to the list.
Bye Sandro
> Thank you verry mutch for answering my message,
>
> I would make a NIDS, for that i must construct a conections, one
> conection begin with
> Syn+Syn_Ack+Ack+......+Ack+.......Fin_Ack+ack+Fin_ack+ack.
> I don't find an exemple, how make FLAG, flag can be S0, RSTO, SF, REJ.
>
> Can you give a documentation for construction of connections and
> attributs like FLAG, Duration, .....
>
> Thank you verry mutch
Hi,
a would make a NIDS, for that i must construct a connections, one conection begin with Syn+Syn_Ack+Ack+......+Ack+.......Fin_Ack+ack+Fin_ack+ack.
I don't find an exemple, how make FLAG, flag can be S0, RSTO, SF, REJ.
Can you give a documentation for construction of connections and attributs like FLAG, Duration, .....
Thank you verry mutch
_____________________________________________________________________________
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail
Hi,
i would make a connection of protocol TCP, can you give me a documentation or an URL who explain why make this,
Thank you verry mutch
_____________________________________________________________________________
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail
Hi,
i would make a connection of protocol TCP, can you give me a documentation or an URL who explain why make this,
Thank you verry mutch
_____________________________________________________________________________
Ne gardez plus qu'une seule adresse mail ! Copiez vos mails vers Yahoo! Mail
Hi all!
We are using bro at Dresden University of Technology to develop a
prototype of a mobile wireless ids. I use broccoli to communicate
between my local bro and my manager-application.
I need to add and remove peers for inter-bro-communication without
restarting bro. Therefore I added some new events to remote.bro to add
and remove peers. To close a active connection, I added some lines in
RemoteSerializer and bro.bif(_orig) to call RS::CloseConnection.
Adding and connecting new peers works fine, but I get the runtime-error
'value used but not set' when I call close_connection(id). What did I wrong?
Thanks for your help!
Sandro
my changes:
remote.bro:
event broccoli_remove_peer(host : addr)
{
for(id in connected_peers)
{
if(connected_peers[id]$host == host)
{
print (fmt("remove peerID '%s', host = %s", id, host));
close_connection(id);
}
}
}
bro.bif / bro.bif.orig:
function close_connection%(id: count%) : bool
%{
return new Val(remote_serializer->CloseConnection(id),TYPE_BOOL);
%}
RemoteSerializer.h (public):
bool CloseConnection(PeerID id);
RemoteSerializer.cc:
bool RemoteSerializer::CloseConnection(PeerID id)
{
return CloseConnection(LookupPeer(id, true));
}
Hi guys,
As I couldn't create a login for the wiki I'll post some minor errata
for the reference manual. Hope its found to be usefull.
------------------------------------------------------------------------
------------------------------------------
Table assignment section:
The part to do with making an assignment to an entire table
its a bit confusing as to what this functionality does. Perhaps it would
be better to express this in a fashion similar to the "record
assignment" section.
where it talks about c'esque shallow and deep copies. The way this
section is currently expressed was leading me to read more between the
lines.
----------------------
Set section
"Also as with tables, you can use the &create_expire, &read_expire, and
&write_expire attributes to control the automatic expiration of elements
in a set.
Deficiency: However, the attribute is not currently supported."
The attribute lacking is not mentioned causing the person to
cross-reference back up to the table attributes. The assumption is that
the expiry function
attribute is missing.
----------------------
Sets and table section
Both sections conclude with "you can loop over all of the indices in a
set/table using the statement."
The statement that does the looping is not shown.
------------------------------------------------------------------------
------------------------------------------