[Bro-Dev] [JIRA] (BIT-724) Changing semantics of ConnSizeAnalyzer

Sun, 09 Feb 2014 21:18:36 -0800 

     [ 
https://bro-tracker.atlassian.net/browse/BIT-724?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Seth Hall updated BIT-724:
--------------------------

    Resolution: Rejected
        Status: Closed  (was: Open)

There was some contention over this and we've left it for a few releases so I 
think it's stuck at this point. :)

> Changing semantics of ConnSizeAnalyzer
> --------------------------------------
>
>                 Key: BIT-724
>                 URL: https://bro-tracker.atlassian.net/browse/BIT-724
>             Project: Bro Issue Tracker
>          Issue Type: Problem
>          Components: Bro
>            Reporter: Seth Hall
>            Priority: High
>
> I think we should change what the conn size analyzer is measuring.  It 
> currently measures the size of the connection from the IP header down (or up, 
> depending on how you look at it).  From my perspective that data is rarely 
> (if ever?) useful.  What is more useful is a counted value for the connection 
> size.  c$(orig|resp)$size takes it's measurement from sequence counting and 
> can get confused in some cases (chinese firewall sending RST packets for 
> instance).
> This is the patch I'm proposing:
> {noformat}
> diff --git a/scripts/base/init-bare.bro b/scripts/base/init-bare.bro
> index 859a69f..21a9b60 100644
> --- a/scripts/base/init-bare.bro
> +++ b/scripts/base/init-bare.bro
> @@ -66,10 +66,10 @@ type endpoint: record {
>  
>         ## Number of packets on the wire
>         ## Set if :bro:id:`use_conn_size_analyzer` is true.
> -       num_pkts: count &optional;      
> -       ## Number of IP-level bytes on the wire
> +       counted_pkts: count &optional;
> +       ## Number of content bytes on the wire
>         ## Set if :bro:id:`use_conn_size_analyzer` is true.
> -       num_bytes_ip: count &optional;  
> +       counted_bytes: count &optional;
>  };
>  
>  type endpoint_stats: record {
> diff --git a/src/ConnSizeAnalyzer.cc b/src/ConnSizeAnalyzer.cc
> index a1b892f..5d0efcd 100644
> --- a/src/ConnSizeAnalyzer.cc
> +++ b/src/ConnSizeAnalyzer.cc
> @@ -39,12 +39,12 @@ void ConnSize_Analyzer::DeliverPacket(int len, const 
> u_char* data, bool is_orig,
>  
>         if ( is_orig )
>                 {
> -               orig_bytes += ip->TotalLen();
> +               orig_bytes += len;
>                 orig_pkts ++;
>                 }
>         else
>                 {
> -               resp_bytes += ip->TotalLen();
> +               resp_bytes += len;
>                 resp_pkts ++;
>                 }
>         }
> {noformat}
> If no one has a problem with this, I'd like to make the change for the 2.0 
> release because I'm having trouble currently with counting bytes for the SSH 
> analyzer and we're getting more false positives than we should be seeing.



--
This message was sent by Atlassian JIRA
(v6.2-OD-09-036#6252)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev

Reply via email to