[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: TCP small fragments
In message <705dc23ce7a2a92f9e7867b15fe72647@mac.com>, pmrn writes:
>
>But, the crud can be baselined and thresholded and alarmed when such
>crud exceeds a certain threshold. With Bro, isn't possible to define
>such thresholds in the policy engine and the weird module. Of course,
>one has to gain prior knowledge of the network.
>
As Vern said, there's always crud -- an amazing amount of it. You
can't easily characterize it unless you operate a network with a very
narrow range of normal destinations -- there's too much legitimate
traffic to too many different machines.
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb