[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: TCP small fragments

My thought is, the so called crud can be one of the variables in an analysis model. I happen to think, sniffing and analyzing every packet from the wire is not practical economic solution. I would also state any model looking at only one or two variables is prone to large errors.

Actually, working on a such a model, so all opinions are welcome and helpful. Read almost all of the papers written by both of you and it helped me to understand many issues in dealing with the security problem. I am hoping as I work through the issues, it will lead me to find and some generate some ideas for model.


On Feb 22, 2005, at 10:29 AM, Steven M. Bellovin wrote:

In message <705dc23ce7a2a92f9e7867b15fe72647@mac.com>, pmrn writes:
But, the crud can be baselined and thresholded and alarmed when such
crud exceeds a certain threshold. With Bro, isn't possible to define
such thresholds in the policy engine and the weird module. Of course,
one has to gain prior knowledge of the network.

As Vern said, there's always crud -- an amazing amount of it. You
can't easily characterize it unless you operate a network with a very
narrow range of normal destinations -- there's too much legitimate
traffic to too many different machines.

--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb

Pall Ramanathan
Work: 678-9359670
Mobile: 678-576-7105


Learn like you will live for ever and Live like you will die tomorrow-Gandhi