[Bro-Dev] #311: DPD mistakenly thinking HTTP is IRC

Bro Tracker bro at tracker.bro-ids.org
Mon Dec 12 08:26:18 PST 2011


#311: DPD mistakenly thinking HTTP is IRC
-----------------------------+--------------------
  Reporter:  vern            |      Owner:
      Type:  Problem         |     Status:  closed
  Priority:  Normal          |  Milestone:
 Component:  Bro             |    Version:
Resolution:  Solved/Applied  |   Keywords:
-----------------------------+--------------------

Comment (by gregor):

 >  I solved this problem by improving the DPD regexes for server-to-server
 >  IRC (it's in fastpath).  I'll put a note in Gregor's ticket to refer
 back
 >  to this ticket for information about the DPD inadequacies related to
 IRC.

 Note that we should still fix the IRC analyzer. The signatures should just
 be a hint for the analyzer (to speed things up) and that the analyzer can
 detect whether it's parsing the right protocol. Without resource
 constraint, DPD could/would run all analyzers on all connections and then
 analyzers and if an analyzer can't parse the connection it detaches from
 the tree.

 (Not changing ticket status yet, since YMMV)


 cu
 Gregor

-- 
Ticket URL: <http://tracker.bro-ids.org/bro/ticket/311#comment:6>
Bro Tracker <http://tracker.bro-ids.org/bro>
Bro Issue Tracker



More information about the bro-dev mailing list