Or don’t count it in the port statistics, but still count it in the protocol stats. So you would see a ton of protocol #1
But I think I like your suggestion better because it separates things like 53/tcp and 53/udp. On Apr 26, 2016, at 9:04 AM, Vlad Grigorescu <[email protected]<mailto:[email protected]>> wrote: I'm not sure I agree without additional context. ICMP exfil is a known technique. Wouldn't you want to know if all of a sudden, you started seeing gigs of ICMP? Or is there some other limitation that would make detecting this problematic? What I would recommend instead is simply adding the protocols to the ports. So, instead of "top ports: 53, 80, 443, 8" you would see: "top ports: 53/udp, 80/tcp, 443/tcp, 8/icmp" Would this be sufficient to solve the ICMP/port number confusion? On Tue, Apr 26, 2016 at 8:07 AM, Adam Slagell (JIRA) <[email protected]<mailto:[email protected]>> wrote: [ https://bro-tracker.atlassian.net/browse/BIT-1571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=25900#comment-25900<https://urldefense.proofpoint.com/v2/url?u=https-3A__bro-2Dtracker.atlassian.net_browse_BIT-2D1571-3Fpage-3Dcom.atlassian.jira.plugin.system.issuetabpanels-3Acomment-2Dtabpanel-26focusedCommentId-3D25900-23comment-2D25900&d=CwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=gMEsgy9kNQo7aTfyIJsOSuw4Z57hfQyz6uV2H4S9PvE&m=beorgX6UQRKd6PT0TlIH2AguYVgqol2BXwnYJL7xcTg&s=ayfCl68oBOLFmdONWN8cXNOKCfvTHTccw8hr3HkQUmE&e=> ] Adam Slagell commented on BIT-1571: ----------------------------------- Talking with Seth, he agrees that it probably just makes more sense to leave ICMP out of the connection summaries. > Connection summaries w/ IPv6 have poor readabiity > ------------------------------------------------- > > Key: BIT-1571 > URL: > https://bro-tracker.atlassian.net/browse/BIT-1571<https://urldefense.proofpoint.com/v2/url?u=https-3A__bro-2Dtracker.atlassian.net_browse_BIT-2D1571&d=CwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=gMEsgy9kNQo7aTfyIJsOSuw4Z57hfQyz6uV2H4S9PvE&m=beorgX6UQRKd6PT0TlIH2AguYVgqol2BXwnYJL7xcTg&s=G1V9yTqJu9EsCXN23xZ1E-ydwqADT1YJBKqzJkNqhZM&e=> > Project: Bro Issue Tracker > Issue Type: Improvement > Components: BroControl > Affects Versions: 2.4 > Reporter: Adam Slagell > Assignee: Daniel Thayer > Priority: Low > Fix For: 2,5 > > Attachments: [Bro] Connection summary from 15_53_27-16_00_00.txt > > > The variable length of IPv6 and being mixed with IPv4 causes alignment issues > with the white space in the connection summary emails. -- This message was sent by Atlassian JIRA (v1000.5.0#72002) _______________________________________________ bro-dev mailing list [email protected]<mailto:[email protected]> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev<https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.icsi.berkeley.edu_mailman_listinfo_bro-2Ddev&d=CwMFaQ&c=8hUWFZcy2Z-Za5rBPlktOQ&r=gMEsgy9kNQo7aTfyIJsOSuw4Z57hfQyz6uV2H4S9PvE&m=beorgX6UQRKd6PT0TlIH2AguYVgqol2BXwnYJL7xcTg&s=4IUiD_rshKiWgExIpRf1sV9VOAU5kKwazUEsgKMM9SY&e=> _______________________________________________ bro-dev mailing list [email protected]<mailto:[email protected]> http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev ------ Adam J. Slagell Chief Information Security Officer Director, Cybersecurity Division National Center for Supercomputing Applications University of Illinois at Urbana-Champaign www.slagell.info<http://www.slagell.info> "Under the Illinois Freedom of Information Act (FOIA), any written communication to or from University employees regarding University business is a public record and may be subject to public disclosure."
_______________________________________________ bro-dev mailing list [email protected] http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
