I ran the two bro versions with 6 tcpdump files and registered the differences
on the following table:
tcpdumpfile1,tcpdumpfile2,tcpdumpfile3,…,tcpdumpfile6
1.2-1.4,1.2-1.4,1.2-1.4,1.2-1.4,…,1.2-1.4
spontaneous_RST 15-1,4-3,4-1,11-19,32-1,56-1
spontaneous_FIN 10-1,8-0,9-0,85-55,25-2,71-1
window_recision 26-26,29-29,0-0,48-48,0-0,52-52
SYN_seq_jump 1-1,0-0,0-0,1-1,0-0,0-0
SYN_inside_connection 1-1,0-0,0-0,0-0,0-0,0-0
active_connection_reuse 1-0,0-0,0-0,0-0,0-0,0-0
unsolicited_SYN_response 1-0,7-7,0-0,1-1,0-0,0-0
SYN_after_close 0-1,0-0,0-0,0-0,0-0,0-0
above_hole_data_without_any_acks 0-0,1-1,0-0,0-0,0-0,0-0
data_before_established 0-0,0-0,0-0,1-1,0-0,0-0
So,the difference is essentially around spontaneous_RST and spontaneous_FIN
weird events.The dump files are for webbrowsing only traffic.I don’t know if
this has any practical interest but that’s what I get using bro-1.4prerelease,for
this very small sample and very limited network protocols.
The command line I use:
export BROPATH=/usr/local/bro-1.2.1/policy:/usr/local/bro-1.2.1/site
/usr/local/bro-1.2.1/bin/bro -r tcpdumpfile
The same for bro-1.4prerelease,but here the bro environment is set up for the
directories where the policy and sig files are:
/usr/local/bro1.4prerelease/share/bro:/usr/local/bro1.4prerelease/share/bro/sigs