> On Jul 11, 2016, at 8:44 PM, Azoff, Justin S <[email protected]> wrote: > > It is.. amazing! The unified code is simpler, uses less memory, puts less > load on sumstats, generates nicer notice messages, and detects attackers > scanning across multiple victims AND ports.
Nice job Justin! Perhaps this begs the question if we should use this version in Bro? We do have a tendency to make design decisions so that Bro works the best that it can with minimal configuration for even the largest sites. I think the notices are very reasonable and have the additional benefit of being a single noticed to watch for for "scanning". Having to watch for two different notices always felt a bit unnatural. I think that I personally care about scans, not the type of scan being performed (although there may be some nuance to that that someone is taking advantage of?). .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro.org/ _______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
