[Discussion] Brainstorming Session Notes

• Previous message (by thread): [Discussion] Brainstorming Session Notes
• Next message (by thread): [Discussion] Brainstorming Session Notes
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Nov 17, 2008, at 10:59 AM, Matt Jonkman wrote:

> Also brought up was considering preprocessors or some other process  
> that
> can do decoding. Mime, gzip, zlib, PE unpacking, etc. That'd  
> definitely
> be too slow to do inline, but if it were handed off to a spare thread
> and that result used for IP reputation or stream reputation it could  
> be
> of great use.

I think that *definitely* might be a somewhat overly finite  
statement.  Right now with Bro I'm doing gzip decoding of web traffic  
on 1.1Gbps of total network traffic (we typically see about 60% on  
port 80/tcp) and not dropping packets.

> Data flow collection was mentioned. I guess the best way to summarize
> would be to be able to output netflow style data. Not too detailed,  
> but
> something that other tools could use.

Bro's conn.bro script does this, but it's slightly nicer in the same  
sense that Argus is nicer than netflow.  It actually shows you the  
direction of the connection.  If you have the capacity on your  
machine(s), it can also tell you what protocol it detected during the  
connection.

   .Seth

---
Seth Hall
Network Security - Office of the CIO
The Ohio State University
Phone: 614-292-9721

• Previous message (by thread): [Discussion] Brainstorming Session Notes
• Next message (by thread): [Discussion] Brainstorming Session Notes
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]