[Oisf-users] UDP reassambly behaviour
Victor Julien
victor at inliniac.net
Wed Jun 20 16:10:17 UTC 2012
On 06/20/2012 06:07 PM, Seth Hall wrote:
>
> On Jun 20, 2012, at 4:27 AM, Michel SABORDE wrote:
>
>> But Bro, if you set up a rule on IP protocol (not UDP) does reassamble.
>> I don't have time to investigate why Bro has choosen this behaviour, but i'm sure there is a good reason.
>
> This question came up internally recently. I suspect it was originally done as a performance optimization but we also use signatures very differently than Suricata in most cases and we don't typically have a need to match packets in the same way.
So does Bro do any effort to figure out the correct order of the UDP
datagrams before doing the "reassembly"? I guess with higher level
protocol knowledge you could do it.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list