[Discussion] Just one question

• Previous message (by thread): [Discussion] Just one question
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Thorsten wrote:
>
> Bro can already do that for HTTP traffic:
  ...
> Taken from the changelog (http://bro-ids.org/wiki/index.php/Version_1.4)
> Seth Hall is using that in production, perhaps he can report in the
> performance impact.

  Thank you for the pointer to a tool I had never heard of. I've got it
  compiled and am playing with it.

  For those of you looking for an example of a reassembly tool, my
  favorite has been tcpflow .

http://www.circlemud.org/~jelson/software/tcpflow/

  However, it caused some grief for me, apparently some of the ssh
  exploits looked like one big flow. Came in to the office and it looked
  like a 2 gig transfer to a foreign ip instead of a bunch of little
  attempts.

  John


This message is confidential, intended only for the named recipient(s) and
may contain information that is privileged or exempt from disclosure under
applicable law.  If you are not the intended recipient(s), you are
notified that the dissemination, distribution or copying of this message
is strictly prohibited.  If you receive this message in error, or are not
the named recipient(s), please notify the sender at the e-mail address
above and delete this e-mail from your computer.  Thank you.

• Previous message (by thread): [Discussion] Just one question
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]