[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TCP small fragments

In message <705dc23ce7a2a92f9e7867b15fe72647@mac.com>, pmrn writes:
>But, the crud can be baselined and thresholded and alarmed when such 
>crud exceeds a certain threshold. With Bro, isn't possible to define 
>such thresholds in the policy engine and the weird module. Of course, 
>one has to gain prior knowledge of the network.

As Vern said, there's always crud -- an amazing amount of it.  You 
can't easily characterize it unless you operate a network with a very 
narrow range of normal destinations -- there's too much legitimate 
traffic to too many different machines.

		--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb