[Bro-Dev] buglet in FTP processing for 1.E7Vo2Cjyt39.pcap in slice 9

Seth Hall seth at icir.org
Wed Nov 30 20:16:43 PST 2011


On Nov 30, 2011, at 7:10 PM, Vern Paxson wrote:

> 	150 Binary transfer started (7k).

Oops, I haven't seen FTP servers do that before.  I'll fix it.

> I'm not sure whether these are worth worrying about, though.  Presumably
> if the accompanying ftp-data connections were also in the trace, the
> sizes would come from those (?).


I don't think the ftp base scripts pull data from that currently.  That would make sense though. :)  One problem with it is that in cluster deployments it's very common for the data connections to not be analyzed appropriately (it only works if 2-tuple load balancing is taking place).  

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/




More information about the bro-dev mailing list