[Bro] Load Balancers
JAzoff at uamail.albany.edu
Sat Feb 6 11:18:52 PST 2010
On Sat, Feb 06, 2010 at 02:04:15PM -0500, Bill Jones wrote:
> Thanks for the response. I do actually see a "Connection:
> Keep-Alive\r\n" in the GET packet. From this, can I assume that a
> persistent connection is being held, thus the confusion by bro?
Right... if the connection is long lived, there was a handshake, it just
happened before Bro started.
> If so, do you have any ideas or suggestions on how I can get the HTTP
> analyzer to still process these as if the connection had been
> established normally?
I'm not sure about the Bro side, but you could probably turn off keepalives on
the load balancer. It also might have an option somewhere called 'maximum
number of requests' that might be a high number like 5000, you could try
lowering that a bunch, which would cause a handshake to happen frequently
enough to keep Bro happy.
-- Justin Azoff
-- Network Security & Performance Analyst
More information about the Bro