Would it make sense for us to begin indicating if Bro "flipped" a connection in the conn.log? Occasionally I see stuff that shows up in various places (right now I'm seeing it in weird.log) and might just be a host doing a syn scan with src port 80, but Bro will flip that due to the likely_servers_ports variable. It seems to me like an additional boolean value in conn.log would be helpful to know if a connection was flipped or not.
Right now though this information doesn't seem to be available at the script land anywhere. Am I correct on that? .Seth -- Seth Hall International Computer Science Institute (Bro) because everyone has a network http://www.bro-ids.org/
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
