[Oisf-devel] accessing flowints and flowbits in decode
David Mandelberg
dmandelb at bbn.com
Wed Feb 27 21:29:24 UTC 2013
Hi,
I'm trying to implement an interactive session alert based on
http://ouah.org/backdoor-sec00.pdf.
I considered doing it as a set of rules using flowints and flowbits, but
as far as I can tell, there's no way to access the difference in time
between when two packets are received. Also, it seems like the
performance of multiple rules triggering on every single packet might be
suboptimal.
Because of the above, I think the best place to implement it is a common
function called by both DecodeIPV4 and DecodeIPV6. Does that seem like
the right place? Is there enough information at those points to
determine if the packet is part of a flow and access per-flow integers
and bits if it is? Is there a way to get the packet arrival time that
works for both live capture and reading pcap files? Is there any reason
not to format the packet arrival time as a *nix time and store it in a
flowint?
More information about the Oisf-devel
mailing list