flow-level analysis code

> Actually, I think it does make sense. Bro can do a fair amount of analysis
> based on TCP SYN/FIN/RST packets and UDP request/replies without seeing
> packet contents. For example, its scan detection is driven off of this
> level of information.

But where you will take it beyond scans?

As Jean-Philippe mentioned in his reply, you can use it for forms of
analysis along the lines of "host A contacted host B and host B replied,
is that allowed?" For some forms of contact, you can't really do this
without having packet contents, since host B may have replied at the app
layer saying "I refuse to talk to you", but for other forms you can tell
if proscribed communication occurred just by the volumes of data transferred
in each direction.

Maybe automatic 'stepping stone' detection based on flows? Or flow
profiling (for backdoors and trojans with new prots)?

Yes, for some of that too. I'm also working with some students on detecting
some other types of anomalies that indicate likely attacks that work at
this level.

    Vern

Vern Paxson wrote:

Maybe automatic 'stepping stone' detection based on flows? Or flow profiling (for backdoors and trojans with new prots)?
   
Yes, for some of that too. I'm also working with some students on detecting
some other types of anomalies that indicate likely attacks that work at
this level.

  Vern

In fact using Bro/Netflow with "stepping stone" detection in mind is a very interestant concept,
likes all flows coming from the "outside" must travel something likes a router (normally), we've the ability to see and detecting a problem quickly (using the correct analyzer).