[Bro-Dev] #354: Allow analyser to process partial HTTP connections.

sridhar basam sri at basam.org
Wed Jan 19 08:40:44 PST 2011


On Wed, Jan 19, 2011 at 11:30 AM, Bro Tracker <bro at tracker.icir.org> wrote:

> #354: Allow analyser to process partial HTTP connections.
> ------------------------------+-----------------
>  Reporter:  sridhar.basam    |      Owner:
>      Type:  Feature Request  |     Status:  new
>  Priority:  Normal           |  Milestone:
>  Component:  Bro              |    Version:
> Resolution:                   |   Keywords:
> ------------------------------+-----------------
>
> Old description:
>
> > By default the HTTP analyser doesn't process packets where bro did not
> > see the initial handshake. I got a couple of 1 line patches from Vern to
> > fix it. Can we roll this into a future release?
> >
> > Sridhar
>
> New description:
>
>  By default the HTTP analyser doesn't process packets where bro did not see
>  the initial handshake. I got a couple of 1 line patches from Vern to fix
>  it. Can we roll this into a future release?
>
>  Sridhar
>
> --
>
> Comment (by seth):
>
>  This is a fairly large change in semantics for how Bro currently functions
>  and I'm curious what your motivation for this change is.  Can you give an
>  example of the conditions where this is causing a problem for you?
>
> --
> Ticket URL: <http://tracker.icir.org/bro/ticket/354#comment:1>
> Bro Tracker <http://tracker.icir.org/bro>
> Bro Issue Tracker
>


I have applications which use a persistant HTTP connections to talk to
upstream services. These connections live for a really long time,
thousands/tens of thousands of requests on a single tcp connection. I use
bro to analyse http request and replies for these applications.  I need the
ability to run the analyser for these partial connections in the pcap file.

 Sridhar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.icsi.berkeley.edu/pipermail/bro-dev/attachments/20110119/7fdaaffa/attachment.html 


More information about the bro-dev mailing list