True, I'm just basing it off of Bro's mechanism to turn some UDP traffic into "connections" that fit into its model.
I guess what I'm looking for is a connection_state_add to go with the existing connection_state_remove. It wouldn't be UDP-specific, but it might fit the current event model a bit better. On Mon, Mar 5, 2018 at 4:55 AM, Jan Grashöfer <[email protected]> wrote: > On 02/03/18 03:52, Vlad Grigorescu wrote: > > I would like to propose a new event in Bro, one that would fire when a > UDP > > connection is established (i.e. a response is observed within some time > > frame after a request is seen). Basically, the UDP equivalent of > > connection_established. > > > > [...] > > > > Does anyone have thoughts about this? > > I definitely see the need to correlate request-response-pairs for UDP > protocols but as UDP is *connectionless*, the term UDP connection sounds > very strange to me. Maybe a general notion of request-response protocols > could be established. Corresponding protocols could trigger general > events. For some protocols there might be even a session concept. > > Jan > _______________________________________________ > bro-dev mailing list > [email protected] > http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev >
_______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
