[Bro-Dev] #311: DPD mistakenly thinking HTTP is IRC

Gregor Maier gregor at icir.org
Mon Dec 12 08:26:10 PST 2011


>   I solved this problem by improving the DPD regexes for server-to-server
>   IRC (it's in fastpath).  I'll put a note in Gregor's ticket to refer back
>   to this ticket for information about the DPD inadequacies related to IRC.

Note that we should still fix the IRC analyzer. The signatures should 
just be a hint for the analyzer (to speed things up) and that the 
analyzer can detect whether it's parsing the right protocol. Without 
resource constraint, DPD could/would run all analyzers on all 
connections and then analyzers and if an analyzer can't parse the 
connection it detaches from the tree.

(Not changing ticket status yet, since YMMV)


cu
Gregor
-- 
Gregor Maier
<gregor at icir.org>  <gregor at icsi.berkeley.edu>
Int. Computer Science Institute (ICSI)
1947 Center St., Ste. 600
Berkeley, CA 94704, USA
http://www.icir.org/gregor/


More information about the bro-dev mailing list