[Oisf-users] UDP reassambly behaviour
Seth Hall
seth at icir.org
Wed Jun 20 16:07:17 UTC 2012
On Jun 20, 2012, at 4:27 AM, Michel SABORDE wrote:
> But Bro, if you set up a rule on IP protocol (not UDP) does reassamble.
> I don't have time to investigate why Bro has choosen this behaviour, but i'm sure there is a good reason.
This question came up internally recently. I suspect it was originally done as a performance optimization but we also use signatures very differently than Suricata in most cases and we don't typically have a need to match packets in the same way.
That said, I don't know offhand if there is a way to make the signature matching happen per-packet on UDP in Bro. We accept patches however. :)
.Seth
--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/
More information about the Oisf-users
mailing list