[Bro] problem with TCP partial connection

Bindiya V S bindiyavs at tataelxsi.co.in
Tue Feb 27 02:55:44 PST 2007


I was trying to use the FTP analyzer in the bro1.2 to analyze 
FTP packets. We were trying to do some tcpreplays with some 
captured pcaps. We have some FTP pcaps that are not having any
TCP handshake packets. On replaying these packets it is 
observed that the signature matching for TCP is not getting invoked (ie.signatures with ip-proto == tcp).
It looks like the rulematcher of TCP is not getting called. Is
there any way we can invoke TCP rulematcher for a set of TCP 
application packets which dont have any handshake packets?


More information about the Bro mailing list