[Bro] Load Balancers
bill.jones at syntervision.com
Sat Feb 6 11:36:15 PST 2010
Thanks, that makes sense. I'm not sure if I'll be able to tweak the
load-balancer settings at this time, but if I am, that may indeed
solve this issue. Hopefully, come Monday morning when many more
sessions will be generated, I may actually see some of these
connections as established and bro will operate as expected.
On Sat, Feb 6, 2010 at 2:18 PM, Justin Azoff <JAzoff at uamail.albany.edu> wrote:
> On Sat, Feb 06, 2010 at 02:04:15PM -0500, Bill Jones wrote:
>> Thanks for the response. I do actually see a "Connection:
>> Keep-Alive\r\n" in the GET packet. From this, can I assume that a
>> persistent connection is being held, thus the confusion by bro?
> Right... if the connection is long lived, there was a handshake, it just
> happened before Bro started.
>> If so, do you have any ideas or suggestions on how I can get the HTTP
>> analyzer to still process these as if the connection had been
>> established normally?
> I'm not sure about the Bro side, but you could probably turn off keepalives on
> the load balancer. It also might have an option somewhere called 'maximum
> number of requests' that might be a high number like 5000, you could try
> lowering that a bunch, which would cause a handshake to happen frequently
> enough to keep Bro happy.
> -- Justin Azoff
> -- Network Security & Performance Analyst
More information about the Bro