On 02/03/18 03:52, Vlad Grigorescu wrote: > I would like to propose a new event in Bro, one that would fire when a UDP > connection is established (i.e. a response is observed within some time > frame after a request is seen). Basically, the UDP equivalent of > connection_established. > > [...] > > Does anyone have thoughts about this?
I definitely see the need to correlate request-response-pairs for UDP protocols but as UDP is *connectionless*, the term UDP connection sounds very strange to me. Maybe a general notion of request-response protocols could be established. Corresponding protocols could trigger general events. For some protocols there might be even a session concept. Jan _______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
