[Bro-Dev] #311: DPD mistakenly thinking HTTP is IRC

Bro Tracker bro at tracker.icir.org
Wed Nov 17 21:02:27 PST 2010

#311: DPD mistakenly thinking HTTP is IRC
 Reporter:  vern     |      Owner:
     Type:  Problem  |     Status:  new
 Priority:  Normal   |  Milestone:
Component:  Bro      |    Version:
 Keywords:           |
 When running on the attached trace using '''-f tcp detect-
 protocols{,-http} dpd http irc mt''' (no doubt some of that is unneeded),
 DPD decides it's seeing IRC due to the responder returning the string
 "Server" fairly late in the connection.  Ideally DPD would have had a
 "this is definitely me" sort of response from HTTP, ruling out a later
 decision regarding IRC; at a minimum, HTTP shouldn't have given up on it,
 and Bro should have reported a hit for multiple protocols.

Ticket URL: <http://tracker.icir.org/bro/ticket/311>
Bro Tracker <http://tracker.icir.org/bro>
Bro Issue Tracker

More information about the bro-dev mailing list