[JIRA] (BIT-1571) Connection summaries w/ IPv6 have poor readabiity

Vlad_Grigorescu1 · April 26, 2016, 2:04pm

I’m not sure I agree without additional context. ICMP exfil is a known technique. Wouldn’t you want to know if all of a sudden, you started seeing gigs of ICMP? Or is there some other limitation that would make detecting this problematic?

What I would recommend instead is simply adding the protocols to the ports. So, instead of “top ports: 53, 80, 443, 8” you would see: “top ports: 53/udp, 80/tcp, 443/tcp, 8/icmp”

Would this be sufficient to solve the ICMP/port number confusion?

Slagell_Adam_J · April 26, 2016, 2:10pm

Or don’t count it in the port statistics, but still count it in the protocol stats. So you would see a ton of protocol #1

But I think I like your suggestion better because it separates things like 53/tcp and 53/udp.

Topic		Replies	Views
icmp and bro Zeek	1	95	May 6, 2022
icmp and bro Zeek	1	86	May 6, 2022
Something is not clear to me concerning reporting Zeek	7	73	May 6, 2022
Progress in the IPv6 support Zeek	4	197	May 6, 2022
Bro patch Zeek	3	101	May 6, 2022

[JIRA] (BIT-1571) Connection summaries w/ IPv6 have poor readabiity

Related topics