[Bro] Option to make Bro willing to decode http sessions not preceded by tcp handshake?

Seth Hall seth at icir.org
Thu Sep 1 07:28:38 PDT 2016


> On Sep 1, 2016, at 9:54 AM, Kevin Branch <kevin at branchnetconsulting.com> wrote:
> 
> I assume that Bro does not consider a stream of tcp/80 packets to be valid http traffic if the tcp handshake is missing.  Is there any way to ask Bro to be more forgiving about this?  Perhaps a no_sweat_the_handshake option?  If so, I believe it would substantially cut down on the number of capME failures experienced by Security Onion users.

That change to the http analyzer has long been needed, but we haven't had the available time to implement it yet because we would need to implement a stream resynchronization mechanism for the HTTP analyzer and it's not trivial with the current analyzer.

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/




More information about the Bro mailing list