I would like to propose a new event in Bro, one that would fire when a UDP connection is established (i.e. a response is observed within some time frame after a request is seen). Basically, the UDP equivalent of connection_established.
Currently, I think the only way to do this would be either with new_connection or with udp_reply. Neither of these seem like great solutions, as they’d require keeping state in script-land, and most of the events wouldn’t be useful.
I definitely see the need to correlate request-response-pairs for UDP protocols but as UDP is *connectionless*, the term UDP connection sounds very strange to me. Maybe a general notion of request-response protocols could be established. Corresponding protocols could trigger general events. For some protocols there might be even a session concept.
True, I’m just basing it off of Bro’s mechanism to turn some UDP traffic into “connections” that fit into its model.
I guess what I’m looking for is a connection_state_add to go with the existing connection_state_remove. It wouldn’t be UDP-specific, but it might fit the current event model a bit better.