[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TCP small fragments



> But, the crud can be baselined and thresholded and alarmed when such 
> crud exceeds a certain threshold. With Bro, isn't possible to define 
> such thresholds in the policy engine and the weird module. Of course, 
> one has to gain prior knowledge of the network.

While Bro makes this sort of thresholding easy to express, its utility is
low, as Steve noted in his follow-on message.  Many attacks that are similar
to crud don't significantly increase the volume of the crud, they're just
one more instance among dozens of (benign) others.  So the threshold doesn't
help in detecting their presence.

> I have read your paper, as a matter of fact, I have read all your 
> papers and they are immensely helpful to me in understanding many 
> security issues.

Highly gratifying to hear, thanks!

		Vern