I'm not sure I agree without additional context. ICMP exfil is a known technique. Wouldn't you want to know if all of a sudden, you started seeing gigs of ICMP? Or is there some other limitation that would make detecting this problematic?
What I would recommend instead is simply adding the protocols to the ports. So, instead of "top ports: 53, 80, 443, 8" you would see: "top ports: 53/udp, 80/tcp, 443/tcp, 8/icmp" Would this be sufficient to solve the ICMP/port number confusion? On Tue, Apr 26, 2016 at 8:07 AM, Adam Slagell (JIRA) < j...@bro-tracker.atlassian.net> wrote: > > [ > https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25900#comment-25900 > ] > > Adam Slagell commented on BIT-1571: > ----------------------------------- > > Talking with Seth, he agrees that it probably just makes more sense to > leave ICMP out of the connection summaries. > > > Connection summaries w/ IPv6 have poor readabiity > > ------------------------------------------------- > > > > Key: BIT-1571 > > URL: https://bro-tracker.atlassian.net/browse/BIT-1571 > > Project: Bro Issue Tracker > > Issue Type: Improvement > > Components: BroControl > > Affects Versions: 2.4 > > Reporter: Adam Slagell > > Assignee: Daniel Thayer > > Priority: Low > > Fix For: 2,5 > > > > Attachments: [Bro] Connection summary from 15_53_27-16_00_00.txt > > > > > > The variable length of IPv6 and being mixed with IPv4 causes alignment > issues with the white space in the connection summary emails. > > > > -- > This message was sent by Atlassian JIRA > (v1000.5.0#72002) > _______________________________________________ > bro-dev mailing list > bro-dev@bro.org > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev >
_______________________________________________ bro-dev mailing list bro-dev@bro.org http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev