[
https://bro-tracker.atlassian.net/browse/BIT-1264?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18228#comment-18228
]
Jon Siwek commented on BIT-1264:
--------------------------------
{quote}
Is it possible for bro to infer the packets belong to a responder, because the
connection started with a SYN+ACK rather than just a SYN? Or is that a major
change for an edge case, although not unheard of on SPAN ports?
{quote}
It is possible to do that: you can take a look at BIT-1236 which mentions a
branch that implements that change, but it isn't 100% accurate (check out the
github pull request comments also linked in that ticket). Haven't yet
revisited to see if something more can be done and not sure right now how deep
the changes would be to improve it.
> HTTP response not detected on nonstandard port
> ----------------------------------------------
>
> Key: BIT-1264
> URL: https://bro-tracker.atlassian.net/browse/BIT-1264
> Project: Bro Issue Tracker
> Issue Type: Problem
> Components: Bro
> Affects Versions: git/master
> Environment: CentOS 6
> Reporter: Jimmy Jones
> Attachments: relaxed.bro, relaxed-http.sig, sample-small2-rsp.pcap,
> sample-small-rsp.pcap
>
>
> Using the attached bro script I've tweaked the HTTP signature to match on
> http responses without the corresponding HTTP request TCP session. I know in
> a proper setup you should never get single sided traffic, but certainly when
> using bro as a tool you have to deal with it sometimes.
> Bro handles this fine when the HTTP is on port 80, but not when on port 4321
> (see attached PCAPs). I'm curious as to why?
--
This message was sent by Atlassian JIRA
(v6.4-OD-05-009#64003)
_______________________________________________
bro-dev mailing list
[email protected]
http://mailman.icsi.berkeley.edu/mailman/listinfo/bro-dev
