[Bro-Dev] #311: DPD mistakenly thinking HTTP is IRC
Bro Tracker
bro at tracker.icir.org
Wed Nov 17 21:02:27 PST 2010
#311: DPD mistakenly thinking HTTP is IRC
---------------------+-----------------
Reporter: vern | Owner:
Type: Problem | Status: new
Priority: Normal | Milestone:
Component: Bro | Version:
Keywords: |
---------------------+-----------------
When running on the attached trace using '''-f tcp detect-
protocols{,-http} dpd http irc mt''' (no doubt some of that is unneeded),
DPD decides it's seeing IRC due to the responder returning the string
"Server" fairly late in the connection. Ideally DPD would have had a
"this is definitely me" sort of response from HTTP, ruling out a later
decision regarding IRC; at a minimum, HTTP shouldn't have given up on it,
and Bro should have reported a hit for multiple protocols.
--
Ticket URL: <http://tracker.icir.org/bro/ticket/311>
Bro Tracker <http://tracker.icir.org/bro>
Bro Issue Tracker
More information about the bro-dev
mailing list