Re: TCP small fragments

[pmrn <pmrn@mac.com>]

My thought is, the so called crud can be one of the variables in an analysis model. I happen to think, sniffing and analyzing every packet from the wire is not practical economic solution. I would also state any model looking at only one or two variables is prone to large errors. 

Actually, working on a such a model, so all opinions are welcome and helpful. Read almost all of the papers written by both of you and it helped me to understand many issues in dealing with the security problem. I am hoping as I work through the issues, it will lead me to find and some generate some ideas for model.

Thanks,

Pall
On Feb 22, 2005, at 10:29 AM, Steven M. Bellovin wrote:

> In message <705dc23ce7a2a92f9e7867b15fe72647@mac.com>, pmrn writes:
> > But, the crud can be baselined and thresholded and alarmed when such 
> > crud exceeds a certain threshold. With Bro, isn't possible to define 
> > such thresholds in the policy engine and the weird module. Of course, 
> > one has to gain prior knowledge of the network.
>
> As Vern said, there's always crud -- an amazing amount of it.  You 
> can't easily characterize it unless you operate a network with a very 
> narrow range of normal destinations -- there's too much legitimate 
> traffic to too many different machines.
>
> --Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
Pall Ramanathan
Work: 678-9359670
Mobile: 678-576-7105

www.amalannetworks.com

Learn like you will live for ever and Live like you will die tomorrow-Gandhi