[Bro-Dev] [JIRA] (BIT-1119) topic/jsiwek/tcp-improvements

Wed, 29 Jan 2014 08:26:00 -0800 

    [ 
https://bro-tracker.atlassian.net/browse/BIT-1119?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15305#comment-15305
 ] 

Robin Sommer commented on BIT-1119:
-----------------------------------

{quote}
have some script warn if all TCP connections are missing 100% of content and 
suggest toggling detect_filtered_trace
{quote}

I like that, is that something we can do efficiently?

{quote}
 But if it's actually not that important for a person using filtered traces to 
minimize output, I think it's fine enough as is?
{quote}

it's less the volume of output but the potential for confusion: one sees it and 
starts wondering what's wrong. It's easy to forget that TCP analysis gets 
confused because the trace is filtered. So if there was some way to point that 
out, that's all it would need. 

It's not a biggie but it's indeed in the same category like the checksums: 
something easy to get wrong without realizing what's going on, in particular 
because we're changing the default here.


> topic/jsiwek/tcp-improvements
> -----------------------------
>
>                 Key: BIT-1119
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-1119
>             Project: Bro Issue Tracker
>          Issue Type: Improvement
>          Components: Bro
>    Affects Versions: git/master
>            Reporter: Jon Siwek
>             Fix For: 2.3
>
>
> This branch is in the bro, bro-testing, and bro-testing-private repos and has 
> a few changes to improve reporting of TCP connection sizes and gaps (commit 
> messages explain in more detail).
> The baseline changes in the external repos all seemed reasonable/explainable 
> (or actually fix a problem).  There's too much changed to go through 
> case-by-case and actually check things, but I did do closer examinations of 
> unique differences as I came across them (e.g. try to corroborate Bro results 
> via wireshark).  Then for those that seem to follow the same trend as 
> something I already inspected, I wouldn't manually check.



--
This message was sent by Atlassian JIRA
(v6.2-OD-07-028#6211)
_______________________________________________
bro-dev mailing list
bro-dev@bro.org
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to