[Bro] Load Balancers

Bill Jones bill.jones at syntervision.com
Sat Feb 6 11:36:15 PST 2010


Thanks, that makes sense.  I'm not sure if I'll be able to tweak the
load-balancer settings at this time, but if I am, that may indeed
solve this issue.  Hopefully, come Monday morning when many more
sessions will be generated, I may actually see some of these
connections as established and bro will operate as expected.


On Sat, Feb 6, 2010 at 2:18 PM, Justin Azoff <JAzoff at uamail.albany.edu> wrote:
> On Sat, Feb 06, 2010 at 02:04:15PM -0500, Bill Jones wrote:
>> Justin,
>> Thanks for the response.  I do actually see a "Connection:
>> Keep-Alive\r\n" in the GET packet.  From this, can I assume that a
>> persistent connection is being held, thus the confusion by bro?
> Right... if the connection is long lived, there was a handshake, it just
> happened before Bro started.
>> If so, do you have any ideas or suggestions on how I can get the HTTP
>> analyzer to still process these as if the connection had been
>> established normally?
>> Regards,
>> Bill
> I'm not sure about the Bro side, but you could probably turn off keepalives on
> the load balancer.  It also might have an option somewhere called 'maximum
> number of requests' that might be a high number like 5000, you could try
> lowering that a bunch, which would cause a handshake to happen frequently
> enough to keep Bro happy.
> --
> -- Justin Azoff
> -- Network Security & Performance Analyst

More information about the Bro mailing list