I’ve noticed some remnants of Vern’s work around detecting systems used as stepping stones within Bro’s source. Could someone on the list shed light on why and when it was deprecated? Many thanks,
-AK
If I recall correctly, I believe the detection doesn’t work well on clusters. The same worker would need to see all traffic associated with a given stepping stone (both traffic from the internet to that hop, and from that hop to the target system).
–Vlad
That makes sense. Thanks for satisfying my curiosity.
-AK
Yeah, that's one problem. Another (related) is that conceptually the
stepping stone detector is hardcoded into the core system, rather than
implemented at script-land as pretty much evertthing else is.
Robin
This is harder than it sounds. Bro could be used to provide input to
some kind of machine learning system, that discovers patterns on
how/when your internals servers are accessed and to warn on something
that's 'interesting', with potentially a scoring system.