[Discussion] Just one question

jjohnson at jdmc.org jjohnson at jdmc.org
Fri Mar 20 15:41:40 UTC 2009


> Thorsten wrote:
>
> Bro can already do that for HTTP traffic:
  ...
> Taken from the changelog (http://bro-ids.org/wiki/index.php/Version_1.4)
> Seth Hall is using that in production, perhaps he can report in the
> performance impact.

  Thank you for the pointer to a tool I had never heard of. I've got it
  compiled and am playing with it.

  For those of you looking for an example of a reassembly tool, my
  favorite has been tcpflow .

http://www.circlemud.org/~jelson/software/tcpflow/

  However, it caused some grief for me, apparently some of the ssh
  exploits looked like one big flow. Came in to the office and it looked
  like a 2 gig transfer to a foreign ip instead of a bunch of little
  attempts.

  John


This message is confidential, intended only for the named recipient(s) and
may contain information that is privileged or exempt from disclosure under
applicable law.  If you are not the intended recipient(s), you are
notified that the dissemination, distribution or copying of this message
is strictly prohibited.  If you receive this message in error, or are not
the named recipient(s), please notify the sender at the e-mail address
above and delete this e-mail from your computer.  Thank you.




More information about the Discussion mailing list